CVE-2025-63650
Published: 29 January 2026
Summary
CVE-2025-63650 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Monkey-Project Monkey. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 23.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 Flaw Remediation mandates timely patching of vulnerabilities like the out-of-bounds read in Monkey's mk_ptr_to_buf function to prevent DoS crashes from crafted HTTP requests.
SI-16 Memory Protection implements mechanisms to safeguard against out-of-bounds memory reads, directly mitigating the CWE-125 flaw in mk_memory.c that causes server crashes.
SI-10 Information Input Validation ensures HTTP requests are validated before processing, reducing the risk of crafted inputs triggering the out-of-bounds read in mk_core.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read in public-facing Monkey web server directly enables remote application exploitation resulting in DoS via crafted HTTP request and server crash.
NVD Description
An out-of-bounds read in the mk_ptr_to_buf in mk_core function (mk_memory.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.
Deeper analysisAI
CVE-2025-63650 is an out-of-bounds read vulnerability in the mk_ptr_to_buf function within the mk_core function of mk_memory.c in Monkey web server at commit f37e984. This flaw, classified under CWE-125, enables attackers to trigger a Denial of Service (DoS) condition. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its potential for significant availability impact without requiring authentication or user interaction.
Remote attackers can exploit this vulnerability by sending a specially crafted HTTP request to a vulnerable Monkey server instance accessible over the network. Successful exploitation leads to a server crash, disrupting service availability, but does not allow for confidentiality or integrity violations.
Mitigation details and related discussions are available in the referenced advisories, including the Archer Security advisory at https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md and the Monkey project issue tracker at https://github.com/monkey/monkey/issues/426. Security practitioners should consult these sources for patching instructions or workarounds specific to affected versions.
Details
- CWE(s)