CVE-2025-13836

Advisory lineage Upstream: 0 Downstream: 58

Downstream

DEBIAN-CVE-2025-13836 DLA-4445-1 MGASA-2025-0324 OPENSUSE-SU-2025:15839-1 OPENSUSE-SU-2025:15840-1 OPENSUSE-SU-2025:15846-1

Analyzed

Published: 01 Dec 2025, 18:02

Last modified:03 Mar 2026, 14:41

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (nvd)

EPSS Score

0.21% LOW

0% probability +0.06%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

01 Dec 2025, 18:02

Published

Vulnerability first disclosed

03 Mar 2026, 14:41

Last Modified

Vulnerability information updated

Description

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.

CVSS Metrics

v4.0•MEDIUM•Score: 6.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
v4.0•MEDIUM•Score: 6.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.21%• Percentile: 44%

Techniques & Countermeasures

CWE-125•Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer.
CWE-400•Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.

Affected Systems

python software foundation•cpython
< 3.13.11 | < 3.10.20 | ≥ 3.11.0, < 3.11.15 | ≥ 3.12.0, < 3.12.13 | ≥ 3.13.0, < 3.13.11 | ≥ 3.14.0, < 3.14.1 | ≥ 3.15.0a1, < 3.15.0a3
python•python
< 3.13.11 | < 3.10.20 | ≥ 3.11.0, < 3.11.15 | ≥ 3.12.0, < 3.12.13 | ≥ 3.13.0, < 3.13.11 | 3.14.0 | 3.15.0:alpha1 | 3.15.0:alpha2