CVE-2025-13836

EUVD-2025-200070
When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 35%
Affected Products (NVD)
VendorProductVersion
pythonpython
𝑥
< 3.13.11
pythonpython
3.14.0
pythonpython
3.15.0:alpha1
pythonpython
3.15.0:alpha2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
pypy3
bookworm
no-dsa
bullseye
7.3.5+dfsg-2+deb11u2
not-affected
bullseye (security)
7.3.5+dfsg-2+deb11u5
fixed
forky
vulnerable
sid
vulnerable
trixie
no-dsa
python3.11
bookworm
no-dsa
bookworm (security)
vulnerable
bullseye
not-affected
trixie
no-dsa
python3.13
bookworm
no-dsa
bullseye
not-affected
forky
3.13.12-1
fixed
sid
3.13.12-1
fixed
trixie
no-dsa
python3.14
bookworm
no-dsa
bullseye
not-affected
forky
3.14.3-1
fixed
sid
3.14.3-1
fixed
trixie
no-dsa
python3.9
bookworm
no-dsa
bullseye
not-affected
bullseye (security)
3.9.2-1+deb11u5
fixed
trixie
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python3.8
bionic
Fixed 3.8.0-3ubuntu1~18.04.2+esm8
released
focal
Fixed 3.8.10-0ubuntu1~20.04.18+esm4
released
jammy
dne
noble
dne
plucky
dne
questing
dne
python2.7
bionic
not-affected
focal
not-affected
jammy
not-affected
noble
dne
plucky
dne
questing
dne
trusty
not-affected
xenial
not-affected
python3.4
jammy
dne
noble
dne
plucky
dne
questing
dne
trusty
not-affected
python3.5
jammy
dne
noble
dne
plucky
dne
questing
dne
trusty
not-affected
xenial
not-affected
python3.6
bionic
not-affected
jammy
dne
noble
dne
plucky
dne
questing
dne
python3.7
bionic
not-affected
jammy
dne
noble
dne
plucky
dne
questing
dne
python3.9
focal
Fixed 3.9.5-3ubuntu0~20.04.1+esm8
released
jammy
dne
noble
dne
plucky
dne
questing
dne
python3.10
jammy
Fixed 3.10.12-1~22.04.13
released
noble
dne
plucky
dne
questing
dne
python3.11
jammy
Fixed 3.11.0~rc1-1~22.04.1~esm7
released
noble
dne
plucky
dne
questing
dne
python3.12
jammy
dne
noble
Fixed 3.12.3-1ubuntu0.10
released
plucky
dne
questing
dne
python3.13
jammy
dne
noble
dne
plucky
Fixed 3.13.3-1ubuntu0.5
released
questing
Fixed 3.13.7-1ubuntu0.2
released
python3.14
jammy
dne
noble
dne
plucky
dne
questing
Fixed 3.14.0-1ubuntu0.1
released
Common Weakness Enumeration
References
https://github.com/python/cpython/commit/14b1fdb0a94b96f86fc7b86671ea9582b8676628
https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15
https://github.com/python/cpython/commit/4ce27904b597c77d74dd93f2c912676021a99155
https://github.com/python/cpython/commit/5a4c4a033a4a54481be6870aa1896fad732555b5
https://github.com/python/cpython/commit/5dc101675fd22918facbbe0fecdc821502beaaf0
https://github.com/python/cpython/commit/afc40bdd3dd71f343fd9016f6d8eebbacbd6587c
https://github.com/python/cpython/issues/119451
https://github.com/python/cpython/pull/119454
https://mail.python.org/archives/list/security-announce@python.org/thread/OQ6G7MKRQIS3OAREC3HNG3D2DPOU34XO/