Denial of Service Vulnerability in Python’s HTTP Response Handling
CVE-2025-13836

6.3MEDIUM

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
1 December 2025

What is CVE-2025-13836?

A vulnerability exists in Python's HTTP response handling process, where the absence of a specified read amount defaults to using the server's Content-Length. This flaw allows a malicious server to force the client to read excessive amounts of data into memory. As a result, the client may encounter out-of-memory (OOM) errors or experience other denial-of-service (DoS) issues, impacting application stability and performance.

Affected Version(s)

CPython 0 < 3.15.0

References

https://github.com/python/cpython/issues/119451
issue-tracking
https://github.com/python/cpython/pull/119454
patch
https://github.com/python/cpython/commit/4ce27904b597c77d...
patch

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-13836 : Denial of Service Vulnerability in Python’s HTTP Response Handling