CVE-2025-13837

NameCVE-2025-13837
DescriptionWhen loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python3.11 (PTS)bookworm3.11.2-6+deb12u6vulnerable
bookworm (security)3.11.2-6+deb12u3vulnerable
python3.13 (PTS)trixie3.13.5-2vulnerable
forky, sid3.13.11-1fixed
python3.14 (PTS)forky, sid3.14.2-1fixed
python3.9 (PTS)bullseye3.9.2-1vulnerable
bullseye (security)3.9.2-1+deb11u3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python3.11source(unstable)(unfixed)
python3.13source(unstable)3.13.11-1
python3.14source(unstable)3.14.2-1
python3.9source(unstable)(unfixed)

Notes

[trixie] - python3.13 <no-dsa> (Minor issue)
[bookworm] - python3.11 <no-dsa> (Minor issue)
[bullseye] - python3.9 <postponed> (Minor issue)
https://github.com/python/cpython/issues/119342
https://github.com/python/cpython/pull/119343
https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70 (main)
https://github.com/python/cpython/commit/b64441e4852383645af5b435411a6f849dd1b4cb (v3.14.1)
https://github.com/python/cpython/commit/71fa8eb8233b37f16c88b6e3e583b461b205d1ba (v3.13.10)
Search for package or bug name: Reporting problems