xmlrpc gzip unlimited read


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

Add a default limit for the amount of data xmlrpclib.gzip_decode() will return.


  • Disclosure date: 2012-09-25 (Python issue bpo-16043 reported)
  • Red Hat impact: Moderate

Fixed In

Python issue

xmlrpc: gzip_decode has unlimited read().

  • Python issue: bpo-16043
  • Creation date: 2012-09-25
  • Reporter: Christian Heimes


The gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request.


Timeline using the disclosure date 2012-09-25 as reference:

  • 2012-09-25: Python issue bpo-16043 reported by Christian Heimes
  • 2014-12-06 (+802 days): commit 4e9cefa (branch 3.2)
  • 2014-12-06 (+802 days): commit 9e8f523 (branch 2.7)
  • 2014-12-10 (+806 days): Python 2.7.9 released
  • 2015-02-25 (+883 days): Python 3.4.3 released
  • 2015-09-12: Python 3.5.0 released
  • 2017-09-19 (+1820 days): Python 3.3.7 released
  • 2020-03-11 (+2724 days): CVE-2013-1753 published