QwikSec

Security Database

CVE

CWE

Training

CVE-2025-13836

Published: Dec 1, 2025

Modified: Mar 3, 2026

PUBLISHED

Description

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.

Vendor	Product	Versions
Python Software Foundation	CPython	affected `0 - < 3.10.20` affected `3.11.0 - < 3.11.15` affected `3.12.0 - < 3.12.13` affected `3.13.0 - < 3.13.11` affected `3.14.0 - < 3.14.1` +1 more versions

References

https://github.com/python/cpython/issues/119451

issue-tracking

https://github.com/python/cpython/pull/119454

patch

https://github.com/python/cpython/commit/4ce27904b597c77d74dd93f2c912676021a99155

patch

https://github.com/python/cpython/commit/5a4c4a033a4a54481be6870aa1896fad732555b5

patch

https://mail.python.org/archives/list/[email protected]/thread/OQ6G7MKRQIS3OAREC3HNG3D2DPOU34XO/

vendor-advisory

https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15

patch

https://github.com/python/cpython/commit/14b1fdb0a94b96f86fc7b86671ea9582b8676628

patch

https://github.com/python/cpython/commit/5dc101675fd22918facbbe0fecdc821502beaaf0

patch

https://github.com/python/cpython/commit/afc40bdd3dd71f343fd9016f6d8eebbacbd6587c

patch

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.