Whenhttp.server.CGIHTTPRequestHandler on Windows (and other platforms withoutfork()) handles the POST request, it reads the whole body of the POST request in memory before sending it to the subprocess running the script. The underlying SocketIO allocates the amount of memory specified in theContent-Length header before actual reading the data, so a small request with incorrectContent-Length can cause consumption of the large amount of memory and CPU time and can be used in the DOS attack on the server.

Linked PRs

• gh-119452: Fix OOM vulnerability in http.server #119455