CVE-2025-13836 Overview
CVE-2025-13836 is a Denial of Service vulnerability affecting Python's http.client module. When reading an HTTP response from a server without specifying a read amount, the default behavior uses the Content-Length header value. This design flaw allows a malicious server to send a response with an extremely large Content-Length value, causing the client to attempt allocating massive amounts of memory. The resulting memory exhaustion can lead to Out of Memory (OOM) conditions, system instability, or complete denial of service.
Critical Impact
A malicious server can cause Python HTTP clients to allocate arbitrary amounts of memory, potentially crashing applications, containers, or entire systems through memory exhaustion.
Affected Products
- Python versions prior to patched releases
- Python 3.14.0 (pre-release)
- Python 3.15.0 alpha1 and alpha2
Discovery Timeline
- 2025-12-01 - CVE-2025-13836 published to NVD
- 2026-02-10 - Last updated in NVD database
Technical Details for CVE-2025-13836
Vulnerability Analysis
This vulnerability (CWE-400: Uncontrolled Resource Consumption) exists in Python's http.client module due to how HTTP response bodies are read. When a Python application makes an HTTP request and reads the response without explicitly specifying a maximum read size, the module trusts the Content-Length header provided by the server. A malicious server can exploit this by returning an HTTP response with an arbitrarily large Content-Length value, such as several gigabytes or terabytes. The client will then attempt to allocate a buffer of that size in memory before reading the response data.
The impact extends beyond simple application crashes. In containerized environments, this can lead to OOM-killed containers affecting service availability. On shared systems, the memory pressure can impact other processes and potentially cause system-wide instability.
Root Cause
The root cause lies in the absence of a maximum buffer size limit when reading HTTP response data. The http.client module would directly use the Content-Length header value to determine how much memory to allocate for the response buffer. Without a sanity check or chunked reading mechanism for large responses, the module was vulnerable to malicious Content-Length values that exceeded available system memory.
Attack Vector
The attack requires a network-accessible malicious server that a Python client connects to. An attacker controlling such a server can respond to any HTTP request with a crafted response containing an extremely large Content-Length header. When the victim's Python application attempts to read the response body, it will try to allocate memory matching that Content-Length value, triggering memory exhaustion.
# Security patch from Lib/http/client.py
# Source: https://github.com/python/cpython/commit/14b1fdb0a94b96f86fc7b86671ea9582b8676628
_MAXLINE = 65536
_MAXHEADERS = 100
+# Data larger than this will be read in chunks, to prevent extreme
+# overallocation.
+_MIN_READ_BUF_SIZE = 1 << 20
+
+
# Header name/value ABNF (http://tools.ietf.org/html/rfc7230#section-3.2)
#
# VCHAR = %x21-7E
The fix introduces _MIN_READ_BUF_SIZE constant set to 1MB (1 << 20), which ensures that data larger than this threshold is read in chunks rather than allocated all at once, preventing extreme memory overallocation.
Detection Methods for CVE-2025-13836
Indicators of Compromise
- Abnormal memory growth in Python processes during HTTP client operations
- OOM (Out of Memory) events or process crashes coinciding with outbound HTTP requests
- Python applications receiving HTTP responses with unusually large Content-Length headers
- System logs showing memory exhaustion events correlated with network activity
Detection Strategies
- Monitor Python process memory consumption for sudden spikes during HTTP operations
- Implement network-level inspection to flag HTTP responses with Content-Length values exceeding reasonable thresholds
- Review application logs for MemoryError exceptions in code paths involving http.client or libraries built on it (such as urllib)
- Deploy runtime application security monitoring to detect anomalous memory allocation patterns
Monitoring Recommendations
- Configure memory limits and alerting for Python applications making outbound HTTP requests
- Implement container resource limits to prevent single-application memory exhaustion from affecting the host
- Monitor for connections to untrusted or suspicious servers that may be attempting this attack
- Enable detailed logging for HTTP client operations to aid post-incident analysis
How to Mitigate CVE-2025-13836
Immediate Actions Required
- Update Python to the latest patched version for your release branch
- Review applications that connect to untrusted or user-controlled HTTP servers
- Implement memory limits on Python processes and containers as a defense-in-depth measure
- Consider adding application-level validation of Content-Length headers before reading responses
Patch Information
Python has released security patches for multiple version branches addressing this vulnerability. The fix introduces chunked reading for large responses to prevent extreme memory overallocation. Patches are available through the following commits:
For full details, see the GitHub CPython Issue Discussion and the Python Security Announcement.
Workarounds
- Explicitly specify maximum read sizes when calling response read methods
- Implement wrapper functions that validate Content-Length before reading response bodies
- Use network-level controls to limit maximum response sizes from untrusted servers
- Deploy reverse proxies or WAFs that can filter responses with abnormally large Content-Length headers
# Configuration example: Container memory limits as defense-in-depth
# Docker memory limit
docker run --memory="512m" --memory-swap="512m" your-python-app
# Kubernetes resource limits in deployment spec
# resources:
# limits:
# memory: "512Mi"
# requests:
# memory: "256Mi"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
