CVE-2025-13836

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-13836
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-13836.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-13836
Aliases
Downstream
Related
Published
2025-12-01T18:16:04.200Z
Modified
2026-03-26T17:29:27.022537Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.

References

Affected packages

Git / github.com/python/cpython

Affected ranges

Type
GIT
Repo
https://github.com/python/cpython
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
627894459a84be3488a1789919679c997056a03c
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
ebf955df7a89ed0c7968f79faec1de49f61ed7cb
Fixed
14b1fdb0a94b96f86fc7b86671ea9582b8676628
Fixed
289f29b0fe38baf2d7cb5854f4bb573cc34a6a15
Fixed
4ce27904b597c77d74dd93f2c912676021a99155
Fixed
5a4c4a033a4a54481be6870aa1896fad732555b5
Fixed
5dc101675fd22918facbbe0fecdc821502beaaf0
Fixed
afc40bdd3dd71f343fd9016f6d8eebbacbd6587c
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.13.11"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.14.0-NA"
        }
    ]
}

Affected versions

2.*
2.5
3.*
3.2
v0.*
v0.9.8
v0.9.9
v1.*
v1.0.1
v1.0.2
v1.1
v1.1.1
v1.2
v1.2b1
v1.2b2
v1.2b3
v1.2b4
v1.3
v1.3b1
v1.4
v1.4b1
v1.4b2
v1.4b3
v1.5
v1.5.1
v1.5.2
v1.5.2a1
v1.5.2a2
v1.5.2b1
v1.5.2b2
v1.5.2c1
v1.5a1
v1.5a2
v1.5a3
v1.5a4
v1.5b1
v1.5b2
v1.6a1
v1.6a2
v2.*
v2.0
v2.0b1
v2.0b2
v2.0c1
v2.1
v2.1a1
v2.1a2
v2.1b1
v2.1b2
v2.1c1
v2.1c2
v2.2a3
v2.3c1
v2.3c2
v2.4
v2.4a1
v2.4a2
v2.4a3
v2.4b1
v2.4b2
v2.4c1
v2.5
v2.5.1
v2.5.1c1
v2.5.2
v2.5.2c1
v2.5.3
v2.5.3c1
v2.5.4
v2.5.5
v2.5.5c1
v2.5.5c2
v2.5.6
v2.5.6c1
v2.5a0
v2.5a1
v2.5a2
v2.5b1
v2.5b2
v2.5b3
v2.5c1
v2.5c2
v2.6
v2.6.1
v2.6.2
v2.6.2c1
v2.6.3
v2.6.3rc1
v2.6.4
v2.6.4rc1
v2.6.4rc2
v2.6.5
v2.6.5rc1
v2.6.5rc2
v2.6.6
v2.6.6rc1
v2.6.6rc2
v2.6.7
v2.6.8
v2.6.8rc1
v2.6.8rc2
v2.6a1
v2.6a2
v2.6a3
v2.6b1
v2.6b2
v2.6b3
v2.6rc1
v2.6rc2
v2.7
v2.7.1
v2.7.1rc1
v2.7.2
v2.7.2rc1
v2.7.3
v2.7.3rc1
v2.7.3rc2
v2.7.4rc1
v2.7a1
v2.7a2
v2.7a3
v2.7a4
v2.7b1
v2.7b2
v2.7rc1
v2.7rc2
v3.*
v3.0a1
v3.0a2
v3.0a3
v3.0a4
v3.0a5
v3.0b1
v3.0b2
v3.0b3
v3.0rc1
v3.0rc2
v3.0rc3
v3.1
v3.1.1
v3.1.1rc1
v3.1.2
v3.1.2rc1
v3.1.3
v3.1.3rc1
v3.1.4
v3.1.4rc1
v3.1.5
v3.1.5rc1
v3.1.5rc2
v3.10.0a1
v3.10.0a2
v3.10.0a3
v3.10.0a4
v3.10.0a5
v3.10.0a6
v3.10.0a7
v3.11.0a1
v3.11.0a2
v3.11.0a3
v3.11.0a4
v3.11.0a5
v3.11.0a6
v3.11.0a7
v3.11.0b1
v3.12.0a1
v3.12.0a2
v3.12.0a3
v3.12.0a4
v3.12.0a5
v3.12.0a6
v3.12.0a7
v3.12.0b1
v3.13.0a1
v3.13.0a2
v3.13.0a3
v3.13.0a4
v3.13.0a5
v3.13.0a6
v3.13.0b1
v3.14.0
v3.14.0a1
v3.14.0a2
v3.14.0a3
v3.14.0a4
v3.14.0a5
v3.14.0a6
v3.14.0a7
v3.14.0b1
v3.14.0b2
v3.14.0b3
v3.14.0b4
v3.14.0rc1
v3.14.0rc2
v3.14.0rc3
v3.1a1
v3.1a2
v3.1b1
v3.1rc1
v3.1rc2
v3.2
v3.2.1
v3.2.1b1
v3.2.1rc1
v3.2.1rc2
v3.2.2
v3.2.2rc1
v3.2.3
v3.2.3rc1
v3.2.3rc2
v3.2.4
v3.2.4rc1
v3.2.5
v3.2.6
v3.2.6rc1
v3.2a1
v3.2a2
v3.2a3
v3.2a4
v3.2b1
v3.2b2
v3.2rc1
v3.2rc2
v3.2rc3
v3.3.0
v3.3.0a1
v3.3.0a2
v3.3.0a3
v3.3.0a4
v3.3.0b1
v3.3.0b2
v3.3.0rc1
v3.3.0rc2
v3.3.0rc3
v3.3.1
v3.3.1rc1
v3.3.2
v3.3.3
v3.3.3rc1
v3.3.3rc2
v3.3.4
v3.3.4rc1
v3.3.5
v3.3.5rc1
v3.3.5rc2
v3.3.6
v3.3.6rc1
v3.4.0
v3.4.0a1
v3.4.0a2
v3.4.0a3
v3.4.0a4
v3.4.0b1
v3.4.0b2
v3.4.0b3
v3.4.0rc1
v3.4.0rc2
v3.4.0rc3
v3.4.1
v3.4.1rc1
v3.4.2
v3.4.2rc1
v3.4.3
v3.4.3rc1
v3.4.4
v3.4.4rc1
v3.4.5
v3.4.5rc1
v3.4.6
v3.4.6rc1
v3.5.0
v3.5.0a1
v3.5.0a2
v3.5.0a3
v3.5.0a4
v3.5.0b1
v3.5.0b2
v3.5.0b3
v3.5.0b4
v3.5.0rc1
v3.5.0rc2
v3.5.0rc3
v3.5.0rc4
v3.5.1
v3.5.1rc1
v3.5.2
v3.5.2rc1
v3.5.3
v3.5.3rc1
v3.6.0
v3.6.0a1
v3.6.0a2
v3.6.0a3
v3.6.0a4
v3.6.0b1
v3.6.0b2
v3.6.0b3
v3.6.0b4
v3.6.0rc1
v3.6.0rc2
v3.7.0a1
v3.7.0a2
v3.7.0a3
v3.7.0a4
v3.8.0a1
v3.8.0a2
v3.8.0a3
v3.8.0a4
v3.8.0b1
v3.9.0a1
v3.9.0a2
v3.9.0a3
v3.9.0a4
v3.9.0a5
v3.9.0a6

Database specific

unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.15.0-alpha1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.15.0-alpha2"
            }
        ]
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-13836.json"