CVE-2025-13836

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
PSFCNA
---
---
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
Debian logo
Debian Releases
Debian Product
Codename
python3.11
bookworm
vulnerable
bookworm (security)
vulnerable
python3.13
trixie
vulnerable
forky
vulnerable
sid
vulnerable
python3.14
forky
vulnerable
sid
vulnerable
python3.9
bullseye
vulnerable
bullseye (security)
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python2.7
questing
dne
plucky
dne
noble
dne
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
needs-triage
python3.4
questing
dne
plucky
dne
noble
dne
jammy
dne
trusty
needs-triage
python3.5
questing
dne
plucky
dne
noble
dne
jammy
dne
xenial
needs-triage
trusty
needs-triage
python3.6
questing
dne
plucky
dne
noble
dne
jammy
dne
bionic
needs-triage
python3.7
questing
dne
plucky
dne
noble
dne
jammy
dne
bionic
needs-triage
python3.8
questing
dne
plucky
dne
noble
dne
jammy
dne
focal
needs-triage
bionic
needs-triage
python3.9
questing
dne
plucky
dne
noble
dne
jammy
dne
focal
needs-triage
python3.10
questing
dne
plucky
dne
noble
dne
jammy
needs-triage
python3.11
questing
dne
plucky
dne
noble
dne
jammy
needs-triage
python3.12
questing
dne
plucky
dne
noble
needs-triage
jammy
dne
python3.13
questing
needs-triage
plucky
needs-triage
noble
dne
jammy
dne
python3.14
questing
needs-triage
plucky
dne
noble
dne
jammy
dne
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://github.com/python/cpython/commit/4ce27904b597c77d74dd93f2c912676021a99155
https://github.com/python/cpython/commit/5a4c4a033a4a54481be6870aa1896fad732555b5
https://github.com/python/cpython/issues/119451
https://github.com/python/cpython/pull/119454
https://mail.python.org/archives/list/security-announce@python.org/thread/OQ6G7MKRQIS3OAREC3HNG3D2DPOU34XO/