CVE-2025-63649
Published: 29 January 2026
Summary
CVE-2025-63649 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Monkey-Project Monkey. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-63649 is an out-of-bounds read vulnerability in the http_parser_transfer_encoding_chunked function located in mk_server/mk_http_parser.c of the Monkey HTTP server at commit f37e984. This flaw affects deployments of Monkey, a lightweight open-source web server, where the parser mishandles chunked transfer encoding in HTTP requests, leading to potential memory access errors.
Remote attackers can exploit this vulnerability without authentication by sending a specially crafted POST request to a vulnerable Monkey server instance. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates high severity due to its network accessibility, low attack complexity, and ability to cause a full Denial of Service (DoS) by crashing the server process, rendering the service unavailable.
Mitigation details and patches are documented in related advisories, including the Archer Security advisory at https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md and the Monkey project issue tracker at https://github.com/monkey/monkey/issues/426, which security practitioners should consult for upgrade instructions or workarounds. The vulnerability is associated with CWE-125 (Out-of-bounds Read).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206530
Vulnerability details
An out-of-bounds read in the http_parser_transfer_encoding_chunked function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted POST request to the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read in public-facing Monkey HTTP server parser directly enables remote unauthenticated exploitation (T1190) leading to application crash/DoS via crafted requests (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the out-of-bounds read flaw in Monkey HTTP server's chunked transfer encoding parser by identifying, prioritizing, and applying patches or updates.
Implements memory protection techniques that safeguard against unauthorized memory access, directly mitigating the out-of-bounds read vulnerability leading to DoS.
Provides denial-of-service protections to limit the effects of crafted requests that exploit the vulnerability and crash the server process.