Fluid Attacks Database

Description

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	python3.11	=3.11.2-6 \|\| =3.11.2-6+deb12u1 \|\| =3.11.2-6+deb12u2 \|\| =3.11.2-6+deb12u3 \|\| =3.11.2-6+deb12u4 \|\| =3.11.2-6+deb12u5 \|\| =3.11.2-6+deb12u6 \|\| >=0 <3.11.2-6+deb12u7	3.11.2-6+deb12u7
debian 13	python3.13	=3.13.5-2 \|\| >=0 <3.13.5-2+deb13u1	3.13.5-2+deb13u1
debian 14	python3.14	=3.14.0-1 \|\| =3.14.0-2 \|\| =3.14.0-3 \|\| =3.14.0-4 \|\| =3.14.0-5 \|\| =3.14.0~a7-1 \|\| =3.14.0~b1-1 \|\| =3.14.0~b2-1 \|\| =3.14.0~b3-1 \|\| =3.14.0~b4-1 \|\| =3.14.0~rc1-1 \|\| =3.14.0~rc2-1 \|\| =3.14.0~rc3-1 \|\| >=0 <3.14.2-1	3.14.2-1
debian 14	python3.13	=3.13.5-2 \|\| =3.13.6-1 \|\| =3.13.7-1 \|\| =3.13.8-1 \|\| =3.13.9-1 \|\| >=0 <3.13.11-1	3.13.11-1
debian 12	pypy3	=7.3.11+dfsg-2 \|\| =7.3.11+dfsg-2+deb12u1 \|\| =7.3.11+dfsg-2+deb12u2 \|\| =7.3.11+dfsg-2+deb12u3 \|\| =7.3.12+dfsg-1 \|\| =7.3.12~rc1+dfsg-1 \|\| =7.3.12~rc2+dfsg-1 \|\| =7.3.13+dfsg-1 \|\| =7.3.14+dfsg-1 \|\| =7.3.15+dfsg-1 \|\| =7.3.16+dfsg-1 \|\| =7.3.16+dfsg-2 \|\| =7.3.17+dfsg-1 \|\| =7.3.17+dfsg-2 \|\| =7.3.17+dfsg-3 \|\| =7.3.18+dfsg-1 \|\| =7.3.18+dfsg-2 \|\| =7.3.19+dfsg-1 \|\| =7.3.19+dfsg-2 \|\| =7.3.20+dfsg-1 \|\| =7.3.20+dfsg-2 \|\| =7.3.20+dfsg-3 \|\| =7.3.20+dfsg-4 \|\| =7.3.21+dfsg-1 \|\| =7.3.21+dfsg-2 \|\| =7.3.21+dfsg-3 \|\| =7.3.21+dfsg-4 \|\| =7.3.22+dfsg-1	-
debian 14	pypy3	=7.3.19+dfsg-2 \|\| =7.3.20+dfsg-1 \|\| =7.3.20+dfsg-2 \|\| =7.3.20+dfsg-3 \|\| =7.3.20+dfsg-4 \|\| >=0 <7.3.21+dfsg-1	7.3.21+dfsg-1
debian 13	pypy3	=7.3.19+dfsg-2 \|\| =7.3.20+dfsg-1 \|\| =7.3.20+dfsg-2 \|\| =7.3.20+dfsg-3 \|\| =7.3.20+dfsg-4 \|\| =7.3.21+dfsg-1 \|\| =7.3.21+dfsg-2 \|\| =7.3.21+dfsg-3 \|\| =7.3.21+dfsg-4 \|\| =7.3.22+dfsg-1	-
debian 11	python3.9	=3.9.2-1 \|\| =3.9.2-1+deb11u1 \|\| =3.9.2-1+deb11u2 \|\| =3.9.2-1+deb11u3 \|\| >=0 <3.9.2-1+deb11u4	3.9.2-1+deb11u4
rpm rhel10.0	python3.12	<0:3.12.9-2.el10_0.6	0:3.12.9-2.el10_0.6
rpm rhel9.6	python3.12	<0:3.12.9-1.el9_6.5	0:3.12.9-1.el9_6.5

1-10 of 18

Aliases

1. CVE-2025-138362. NVD-2025-138363. OSV-DEBIAN-2025-138364. OSV-2025-138365. SECURITY-TRACKER-CVE-2025-13836

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.