CVE-2025-13836
01.12.2025, 18:16
When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.Enginsight
| Vendor | Product | Version |
|---|---|---|
| python | python | 𝑥 < 3.13.11 |
| python | python | 3.14.0 |
| python | python | 3.15.0:alpha1 |
| python | python | 3.15.0:alpha2 |
𝑥
= Vulnerable software versions
Debian Releases
Debian Product | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| pypy3 |
| ||||||||||||
| python3.11 |
| ||||||||||||
| python3.13 |
| ||||||||||||
| python3.14 |
| ||||||||||||
| python3.9 |
|
Ubuntu Releases
Ubuntu Product | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| python3.8 |
| ||||||||||||||||
| python2.7 |
| ||||||||||||||||
| python3.4 |
| ||||||||||||||||
| python3.5 |
| ||||||||||||||||
| python3.6 |
| ||||||||||||||||
| python3.7 |
| ||||||||||||||||
| python3.9 |
| ||||||||||||||||
| python3.10 |
| ||||||||||||||||
| python3.11 |
| ||||||||||||||||
| python3.12 |
| ||||||||||||||||
| python3.13 |
| ||||||||||||||||
| python3.14 |
|
Common Weakness Enumeration
- CWE-125 - Out-of-bounds ReadThe software reads data past the end, or before the beginning, of the intended buffer.
- CWE-400 - Uncontrolled Resource ConsumptionThe software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
Vulnerability Media Exposure
References