CVE-2025-13837 – CVE-2025-13837 is a denial-of-service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2025-13837?

CVE-2025-13837 has a CVSS score of 5.5 (MEDIUM). CVE-2025-13837 is a denial-of-service vulnerability in Python's plistlib module where malicious plist files can trigger excessive memory allocation, causing out-of-memory conditions and service crashes. This affects any Python application that processes untrusted plist files, particularly web applications, file parsers, and data processing services.

📋 TL;DR

CVE-2025-13837 is a denial-of-service vulnerability in Python's plistlib module where malicious plist files can trigger excessive memory allocation, causing out-of-memory conditions and service crashes. This affects any Python application that processes untrusted plist files, particularly web applications, file parsers, and data processing services.

💻 Affected Systems

Products:

Python
Applications using Python's plistlib module

Versions: Python versions before 3.13.2, 3.12.7, 3.11.12, 3.10.14

Operating Systems: All operating systems running affected Python versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when processing plist files from untrusted sources. Applications that don't use plistlib or only process trusted plist files are not affected.

📦 What is this software?

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption through resource exhaustion, potentially affecting multiple services on the same host due to memory starvation.

🟠

Likely Case

Application crashes or becomes unresponsive when processing malicious plist files, requiring manual intervention to restart.

🟢

If Mitigated

Limited impact with proper input validation and resource limits in place, potentially causing only individual request failures.

🌐 Internet-Facing: MEDIUM - Applications accepting file uploads or processing external plist files are vulnerable to DoS attacks.

🏢 Internal Only: LOW - Requires malicious plist files to be processed internally, typically through user uploads or compromised data sources.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only creating a malicious plist file with crafted size fields. The GitHub issue includes proof-of-concept examples.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Python 3.13.2, 3.12.7, 3.11.12, 3.10.14

Vendor Advisory: https://github.com/python/cpython/issues/119342

Restart Required: Yes

Instructions:

1. Identify Python version with 'python --version'. 2. Upgrade to patched version using system package manager or Python installer. 3. Restart all Python applications and services. 4. Test plist processing functionality.

🔧 Temporary Workarounds

Input validation and size limits

all

Implement file size validation and memory limits before processing plist files

# Python example: Validate file size before processing
import os
MAX_PLIST_SIZE = 10485760  # 10MB
if os.path.getsize('file.plist') > MAX_PLIST_SIZE:
    raise ValueError('File too large')

Resource limits for Python processes

linux

Set memory limits on Python processes using system controls

# Linux using ulimit
ulimit -v 1000000  # Limit to 1GB virtual memory
# Or using systemd service file:
# MemoryMax=1G

🧯 If You Can't Patch

Implement strict input validation rejecting plist files from untrusted sources
Deploy memory monitoring and automatic restart mechanisms for Python services

🔍 How to Verify

Check if Vulnerable:

Check Python version and test with a crafted plist file containing large size fields

Check Version:

python --version

Verify Fix Applied:

Test plist processing with the same malicious file after patching - should reject or handle safely

📡 Detection & Monitoring

Log Indicators:

Python process crashes with memory errors
High memory usage spikes during file processing
Repeated plist parsing failures

Network Indicators:

Multiple large file uploads to plist processing endpoints
Unusual plist file sizes in network traffic

SIEM Query:

source="application.log" AND ("MemoryError" OR "plistlib" OR "out of memory") AND process="python"

📊 Metadata

CVE ID: CVE-2025-13837

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 0.02% exploit probability (5.2th percentile)

Published: December 1, 2025

Last Updated: March 3, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13837, you might also want to check these: