http.client.HTTPResponse.read() (without argument) consumes the amount of memory specified by the value of theContent-Lenght header in the response before starting receiving the data from the socket. Normally, if the server does not send enough data, the client getsIncompleteRead error, but ifContent-Lenght is too large, it can consume a large amount of memory and CPU time and cause swapping. Therefore, a maleficent server can cause a DOS attack on client by sending a small response.

Linked PRs

• gh-119451: Fix a potential denial of service in http.client #119454
• [3.14] gh-119451: Fix a potential denial of service in http.client (GH-119454) #142138
• [3.13] gh-119451: Fix a potential denial of service in http.client (GH-119454) #142139
• [3.12] gh-119451: Fix a potential denial of service in http.client (GH-119454) #142140
• [3.11] gh-119451: Fix a potential denial of service in http.client (GH-119454) #142141
• [3.10] gh-119451: Fix a potential denial of service in http.client (GH-119454) #142142