CVE-2025-13836

9.1 CRITICAL

Published: December 01, 2025 Modified: December 30, 2025

Description

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://github.com/python/cpython/commit/14b1fdb0a94b96f86fc7b86671ea9582b8676628

Source: cna@python.org

Patch

https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15

Source: cna@python.org

Patch

https://github.com/python/cpython/commit/4ce27904b597c77d74dd93f2c912676021a99155

Source: cna@python.org

Patch

https://github.com/python/cpython/commit/5a4c4a033a4a54481be6870aa1896fad732555b5

Source: cna@python.org

Patch

https://github.com/python/cpython/issues/119451

Source: cna@python.org

Issue Tracking Patch

https://github.com/python/cpython/pull/119454

Source: cna@python.org

Issue Tracking Patch

https://mail.python.org/archives/list/security-announce@python.org/thread/OQ6G7MKRQIS3OAREC3HNG3D2DPOU34XO/

Source: cna@python.org

Vendor Advisory

7 reference(s) from NVD

Quick Stats

CVSS v3 Score

9.1 / 10.0

EPSS (Exploit Probability)

0.1%

24th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-125 CWE-400

Affected Vendors

python

Related CVEs

CVE-2025-69261 N/A

CVE-2025-69257 6.7

CVE-2025-69210 N/A

CVE-2025-66823 N/A

CVE-2025-50343 N/A