argilla-1.25.0-py3-none-any.whl: 1 vulnerabilities (highest severity is: 10.0) unreachable

[mend-for-github-com]

Vulnerable Library - argilla-1.25.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260219120409_AEEMWL/python_IKDEBG/20260219120410/nltk-3.9.2-py3-none-any.whl

Found in HEAD commit: c2a0de4212c13487918a46a2935ca84031dd91aa

Vulnerabilities

Vulnerability	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (argilla version)	Remediation Possible**	Reachability
CVE-2025-14009	Critical	10.0	Not Defined	0.4%	nltk-3.9.2-py3-none-any.whl	Transitive	N/A*	❌	Unreachable

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-14009

Vulnerable Library - nltk-3.9.2-py3-none-any.whl

Natural Language Toolkit

Library home page: https://files.pythonhosted.org/packages/60/90/81ac364ef94209c100e12579629dc92bf7a709a84af32f8c551b02c07e94/nltk-3.9.2-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260219120409_AEEMWL/python_IKDEBG/20260219120410/nltk-3.9.2-py3-none-any.whl

Dependency Hierarchy:

• argilla-1.25.0-py3-none-any.whl (Root Library)
  • ❌ nltk-3.9.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: c2a0de4212c13487918a46a2935ca84031dd91aa

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as init.py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potential persistence mechanisms.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2026-02-18

URL: CVE-2025-14009

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.4%

CVSS 3 Score Details (10.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.