[Issue]: Nltk version used has a CVE

[jkafrouni]

Do you need to file an issue?

• I have searched the existing issues and this bug is not already filed.
• My model is hosted on OpenAI or Azure. If not, please look at the "model providers" issue and don't file a new one here.
• I believe this is a legitimate bug, not just a question. If this is a question, please use the Discussions area.

Describe the issue

Graphrag currently uses nltk==3.9.1 as a dependency.
This version has a vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2025-14009
The guidance is to upgrade to 3.9.3.

Looking quickly at the nltk changelog I do not see breaking changes that would affect graphrag, but happy to look more into it and open a PR.

Steps to reproduce

No response

GraphRAG Config Used

# Paste your config here

Logs and screenshots

No response

Additional Information

• GraphRAG Version: 3.0.6
• Operating System:
• Python Version:
• Related Issues:

[NameIsTimYes]

Is there any news on this? Right now nltk 3.9.1 has three CVE's with scores of 10.0, 10.0 and 8.6. We are using this package in an AI production environment, and this is causing us some major issues regarding compliancy. From what I see it seems safe to bump NLTK from 3.9.1 to 3.9.3.

Any timeline on when this might actually be fixed?

[jkafrouni]

@natoverse sorry for tagging you directly on this but any thoughts on this one? like @NameIsTimYes mentioned this is a critical vulnerability so users of graphrag in production would have a pretty tight deadline to address it to be compliant with whatever component governance tools they use. I can't think of any workaround other than forking.
Thanks!

[NameIsTimYes]

Any update on this? This is causing quite some problems with our compliance department.