cve 2025 13836

CVE-2025-13836 is a vulnerability in Python's standard http.client library that allows a malicious server to cause a denial-of-service (DoS) or out-of-memory (OOM) condition on client applications. The flaw exploits how http.client handles the Content-Length header, forcing the client to allocate memory proportional to the declared length rather than the actual data received. This can lead to excessive memory consumption and potential crashes. The issue has been fixed upstream with a code change that limits memory allocation to the actual received data. Users of Python's http.client should apply the patch or implement additional safeguards to mitigate the risk.