Description
CVE-2025-13836 is a High severity (CVSS 7.5) denial-of-service vulnerability in Python's http.client module. When reading an HTTP response without specifying a read amount, the default behavior uses the Content-Length header value to allocate memory. A malicious server can exploit this by providing an extremely large Content-Length value, causing OOM conditions.
Impact
The rune-ui container image uses python:3.13-slim-bookworm as its base image. The floating tag may resolve to a CPython version vulnerable to this CVE, causing the SBOM-and-CVE-Policy CI gate to block all PRs.
Fix
Pin the base image to python:3.13.11-slim-bookworm which includes the fix (commit 289f29b0fe38baf2d7cb5854f4bb573cc34a6a15).
References
Description
CVE-2025-13836 is a High severity (CVSS 7.5) denial-of-service vulnerability in Python's
http.clientmodule. When reading an HTTP response without specifying a read amount, the default behavior uses theContent-Lengthheader value to allocate memory. A malicious server can exploit this by providing an extremely largeContent-Lengthvalue, causing OOM conditions.Impact
The rune-ui container image uses
python:3.13-slim-bookwormas its base image. The floating tag may resolve to a CPython version vulnerable to this CVE, causing the SBOM-and-CVE-Policy CI gate to block all PRs.Fix
Pin the base image to
python:3.13.11-slim-bookwormwhich includes the fix (commit289f29b0fe38baf2d7cb5854f4bb573cc34a6a15).References