http.client.HTTPResponse.read() (without argument) consumes the amount of memory specified by the value of the Content-Lenght header in the response before starting receiving the data from the socket. Normally, if the server does not send enough data, the client gets IncompleteRead error, but if Content-Lenght is too large, it can consume a large amount of memory and CPU time and cause swapping. Therefore, a maleficent server can cause a DOS attack on client by sending a small response.

Linked PRs

• gh-119451: Fix OOM vulnerability in http.client #119454