CVE-2025-13837 Overview
CVE-2025-13837 is a Denial of Service (DoS) vulnerability in Python's plistlib module. When loading a plist file, the plistlib module reads data in a size specified by the file itself, meaning a malicious file can cause Out-of-Memory (OOM) conditions and Denial of Service issues. This vulnerability affects applications that process untrusted plist files using Python's standard library.
Critical Impact
A maliciously crafted plist file can exhaust system memory, causing application crashes and denial of service conditions on systems processing untrusted plist data.
Affected Products
- Python CPython (multiple versions)
- Applications using Python's plistlib module to parse untrusted plist files
Discovery Timeline
- December 1, 2025 - CVE-2025-13837 published to NVD
- December 2, 2025 - Last updated in NVD database
Technical Details for CVE-2025-13837
Vulnerability Analysis
This vulnerability exists in Python's plistlib module, which is used to read and write macOS plist (property list) files. The core issue is an improper input validation flaw where the module trusts the size values embedded within the plist file structure without adequate bounds checking.
When parsing a binary plist file, the plistlib module reads object sizes directly from the file header and object metadata. An attacker can craft a malicious plist file with an extremely large size value, causing Python to attempt to allocate an excessive amount of memory. This can lead to Out-of-Memory (OOM) conditions that crash the application or degrade system performance.
CVSS 4.0 Score: 2.1 (LOW)
CVSS Vector:CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector: Local
EPSS Score: 0.018% (Percentile: 3.982)
Root Cause
The root cause of CVE-2025-13837 is improper input validation in the plistlib module's binary plist parsing logic. The module reads size parameters directly from the plist file without validating them against reasonable bounds or available system resources. This allows an attacker to specify arbitrary sizes that the module will attempt to honor, leading to memory exhaustion.
The vulnerability is classified as a Resource Exhaustion denial of service, where the attacker controls the resource consumption through malicious input data.
Attack Vector
The attack requires local access to provide a malicious plist file to an application using the vulnerable plistlib module. The attack flow is as follows:
- An attacker crafts a malicious binary plist file with exaggerated size values in the file header or object metadata
- The victim application processes the malicious plist file using plistlib.load() or plistlib.loads()
- The plistlib module attempts to allocate memory based on the attacker-controlled size values
- System memory is exhausted, causing application crash or system instability
The vulnerability manifests when parsing binary plist files with manipulated size fields. The plistlib module attempts to pre-allocate buffers based on these size values without proper validation. See the GitHub issue #119342 and associated commits for detailed technical information about the vulnerable code paths.
Detection Methods for CVE-2025-13837
Indicators of Compromise
- Sudden memory exhaustion when processing plist files
- Application crashes with OOM errors during plist parsing operations
- Abnormally large memory allocations by Python processes handling plist data
- System performance degradation when parsing untrusted plist files
Detection Strategies
Organizations can detect potential exploitation of CVE-2025-13837 through the following methods:
Memory Monitoring: Monitor Python processes for unusual memory allocation patterns, especially during plist file processing. Sudden spikes in memory usage when handling external plist files may indicate exploitation attempts.
File Analysis: Implement file validation to check plist files for suspicious size values before processing. Binary plist files with size fields exceeding reasonable thresholds should be flagged for review.
Application Logging: Enable detailed logging in applications that process plist files to track memory allocation failures and OOM conditions.
Monitoring Recommendations
Deploy monitoring solutions that can track:
- Memory allocation patterns for Python applications
- Process crashes related to OOM conditions
- File access patterns for plist files from untrusted sources
- System resource utilization during plist parsing operations
SentinelOne Singularity provides comprehensive endpoint protection that can detect anomalous process behavior, including unusual memory consumption patterns that may indicate exploitation of resource exhaustion vulnerabilities like CVE-2025-13837.
How to Mitigate CVE-2025-13837
Immediate Actions Required
- Update Python to the latest patched version
- Implement input validation for plist files before processing
- Set memory limits for processes that handle untrusted plist data
- Avoid processing plist files from untrusted sources when possible
Patch Information
The Python Software Foundation has released patches to address this vulnerability. The following commits contain the fixes:
- Commit 694922cf40aa3a28f898b5f5ee08b71b4922df70 (View on GitHub)
- Commit 71fa8eb8233b37f16c88b6e3e583b461b205d1ba (View on GitHub)
- Commit b64441e4852383645af5b435411a6f849dd1b4cb (View on GitHub)
For detailed information about the vulnerability and patch, see the Python Security Announcement.
Workarounds
If immediate patching is not possible, implement the following workarounds:
Limit memory for Python processes: Use operating system-level controls to restrict memory allocation for processes that handle plist files.
Pre-validate plist files: Implement file size checks and basic validation before passing files to plistlib.
Sandbox plist processing: Run plist parsing operations in isolated environments with limited resources.
Use alternative libraries: Consider using alternative plist parsing libraries with built-in size validation until patching is complete.
# Example: Limit memory for Python process using ulimit
ulimit -v 1048576 # Limit virtual memory to 1GB
python your_plist_app.py
# Example: Using resource module in Python for memory limits
# Add to your application before processing plist files
import resource
resource.setrlimit(resource.RLIMIT_AS, (1024 * 1024 * 1024, 1024 * 1024 * 1024))
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
