SB2025120603 - Remote denial of service in Python
Published: December 6, 2025
Security Bulletin ID
SB2025120603
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Resource exhaustion (CVE-ID: CVE-2025-13837)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in Lib/plistlib.py. A remote attacker can pass a specially crafted file to the application, trigger memory exhaustion and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70
- https://github.com/python/cpython/commit/71fa8eb8233b37f16c88b6e3e583b461b205d1ba
- https://github.com/python/cpython/commit/b64441e4852383645af5b435411a6f849dd1b4cb
- https://github.com/python/cpython/issues/119342
- https://github.com/python/cpython/pull/119343
- https://mail.python.org/archives/list/security-announce@python.org/thread/2X5IBCJXRQAZ5PSERLHMSJFBHFR3QM2C/