CVE-2025-13836

MEDIUM EPSS 70.5%
Published Dec 1, 20257mo ago · Modified Jun 17, 20261w ago
6.3 CVSS 4.0
Medium
Find Similar
Published Dec 1, 2025 7mo ago
Last Modified Jun 17, 2026 1w ago

Description

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.

CVSS Details

Base Score
6.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
70.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-400 Uncontrolled Resource Consumption Resource Mgmt

Affected Products 7

VendorProductVersionRange
pythonpython* <3.10.20
pythonpython*≥3.11.0  –  <3.11.15
pythonpython*≥3.12.0  –  <3.12.13
pythonpython*≥3.13.0  –  <3.13.11
pythonpython3.14.0any
pythonpython3.15.0any
pythonpython3.15.0any

References 9

  • github.com https://github.com/python/cpython/commit/14b1fdb0a94b96f86fc7b86671ea9582b8676628
    Patch
  • github.com https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15
    Patch
  • github.com https://github.com/python/cpython/commit/4ce27904b597c77d74dd93f2c912676021a99155
    Patch
  • github.com https://github.com/python/cpython/commit/5a4c4a033a4a54481be6870aa1896fad732555b5
    Patch
  • github.com https://github.com/python/cpython/commit/5dc101675fd22918facbbe0fecdc821502beaaf0
    Patch
  • github.com https://github.com/python/cpython/commit/afc40bdd3dd71f343fd9016f6d8eebbacbd6587c
    Patch
  • github.com https://github.com/python/cpython/issues/119451
    Issue TrackingPatch
  • github.com https://github.com/python/cpython/pull/119454
    Issue TrackingPatch
  • mail.python.org https://mail.python.org/archives/list/security-announce@python.org/thread/OQ6G7MKRQIS3OAREC3HNG3D2DPOU34XO/
    Vendor Advisory

Remediation

  • github.com https://github.com/python/cpython/commit/14b1fdb0a94b96f86fc7b86671ea9582b8676628
    Patch
  • github.com https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15
    Patch
  • github.com https://github.com/python/cpython/commit/4ce27904b597c77d74dd93f2c912676021a99155
    Patch
  • github.com https://github.com/python/cpython/commit/5a4c4a033a4a54481be6870aa1896fad732555b5
    Patch
  • github.com https://github.com/python/cpython/commit/5dc101675fd22918facbbe0fecdc821502beaaf0
    Patch
  • github.com https://github.com/python/cpython/commit/afc40bdd3dd71f343fd9016f6d8eebbacbd6587c
    Patch
  • github.com https://github.com/python/cpython/issues/119451
    Issue TrackingPatch
  • github.com https://github.com/python/cpython/pull/119454
    Issue TrackingPatch