Cyber Resilience

CVE-2025-63650

HighPublic PoC

Published: 29 January 2026

Published
29 January 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0131 80.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63650 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Monkey-Project Monkey. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 19.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-63650 is an out-of-bounds read vulnerability in the mk_ptr_to_buf function within the mk_core component of the Monkey web server, specifically in mk_memory.c at commit f37e984. The flaw is tracked under CWE-125 and carries a CVSS 3.1 score of 7.5, reflecting network-accessible exploitation without authentication or user interaction that results in high availability impact.

Unauthenticated remote attackers can trigger the issue by sending a specially crafted HTTP request to an affected Monkey server instance, leading to a denial-of-service condition. The EPSS score remains flat at 0.0131 with no material increase observed after disclosure.

Public references point to a security advisory and an associated GitHub issue for Monkey, though no specific patch or mitigation details are provided in the available data.

EU & UK References

Vulnerability details

An out-of-bounds read in the mk_ptr_to_buf in mk_core function (mk_memory.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Out-of-bounds read in public-facing Monkey web server directly enables remote application exploitation resulting in DoS via crafted HTTP request and server crash.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-63653Same product: Monkey-Project Monkey
CVE-2025-63657Same product: Monkey-Project Monkey
CVE-2025-63649Same product: Monkey-Project Monkey
CVE-2025-63652Same product: Monkey-Project Monkey
CVE-2025-63656Same product: Monkey-Project Monkey
CVE-2025-63658Same product: Monkey-Project Monkey
CVE-2025-63655Same product: Monkey-Project Monkey
CVE-2025-63651Same product: Monkey-Project Monkey
CVE-2026-23388Shared CWE-125
CVE-2025-24265Shared CWE-125

Affected Assets

monkey-project
monkey
≤ 1.8.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 Flaw Remediation mandates timely patching of vulnerabilities like the out-of-bounds read in Monkey's mk_ptr_to_buf function to prevent DoS crashes from crafted HTTP requests.

prevent

SI-16 Memory Protection implements mechanisms to safeguard against out-of-bounds memory reads, directly mitigating the CWE-125 flaw in mk_memory.c that causes server crashes.

prevent

SI-10 Information Input Validation ensures HTTP requests are validated before processing, reducing the risk of crafted inputs triggering the out-of-bounds read in mk_core.

References