PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-13836 Python CVE debrief

CVE-2025-13836 is a medium-severity Python vulnerability in HTTP response handling. If a client reads a response without specifying a size, the default behavior uses Content-Length. A malicious server can abuse that behavior by advertising a very large value and forcing the client to read excessive data into memory, which can lead to out-of-memory conditions or denial of service.

Vendor
Python
Product
Unknown
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2025-12-01
Original CVE updated
2026-05-18
Advisory published
2025-12-01
Advisory updated
2026-05-18

Who should care

Teams running Python client code, proxies, or services that consume HTTP responses from untrusted servers, especially any code paths that call read() without an explicit limit.

Technical summary

According to the NVD description, the issue occurs when reading an HTTP response and no read amount is specified. In that case, Python defaults to using Content-Length, which makes response size effectively attacker-influenced when the server is malicious. The practical impact is memory exhaustion and possible process or service disruption rather than code execution. NVD maps the weakness to CWE-400 (Uncontrolled Resource Consumption).

Defensive priority

Moderate to high for any Internet-facing or untrusted-server HTTP client in Python; prioritize upgrading affected runtimes and auditing code that relies on default-size response reads.

Recommended defensive actions

  • Upgrade Python to a version outside the affected ranges listed by NVD: before 3.10.20, 3.11.15, 3.12.13, and 3.13.11 are marked vulnerable; NVD also lists 3.14.0 and 3.15.0 alpha1/alpha2 as vulnerable.
  • Review application code for HTTP response reads that omit an explicit size limit and replace them with bounded reads or streaming patterns where appropriate.
  • Add safeguards around untrusted HTTP responses, such as response-size limits, timeouts, and memory-budget controls at the application or platform layer.
  • Validate whether any bundled libraries, test tooling, or internal services rely on CPython network-response behavior and schedule remediation accordingly.
  • Monitor Python security advisories and the referenced CPython patch commits for backported fixes in your distribution or vendor build.

Evidence notes

This debrief is based only on the supplied NVD/CVE corpus. The source item is marked vulnStatus: Analyzed and includes Python vendor-linked references to multiple CPython patch commits, issue tracking, a pull request, and the Python security-announce advisory. The CVE was published on 2025-12-01T18:16:04.200Z and last modified on 2026-05-18T16:58:51.810Z. NVD lists CWE-400 and vulnerable Python CPE criteria covering releases earlier than 3.10.20, 3.11.15, 3.12.13, and 3.13.11, plus 3.14.0 and 3.15.0 alpha1/alpha2.

Official resources

Published in the CVE/NVD record on 2025-12-01 and updated on 2026-05-18; the NVD reference set includes CPython patch commits and a Python security advisory.