CVE-2025-63651
Published: 29 January 2026
Summary
CVE-2025-63651 is a high-severity Use After Free (CWE-416) vulnerability in Monkey-Project Monkey. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-63651 is a use-after-free vulnerability in the mk_string_char_search function within mk_core/mk_string.c of the Monkey web server at commit f37e984. The flaw is tracked under CWE-416 and carries a CVSS 3.1 base score of 7.5 reflecting network attackability without credentials or user interaction.
An unauthenticated remote attacker can trigger the condition by submitting a crafted HTTP request, resulting in a denial-of-service crash of the server process. The EPSS score remains flat at 0.0122 with no material increase after disclosure.
Public references point to a security advisory and the upstream issue tracker for further details on affected versions and any available remediation steps. No information on observed in-the-wild exploitation is provided.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206528
Vulnerability details
A use-after-free in the mk_string_char_search function (mk_core/mk_string.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in public-facing Monkey web server directly enables remote unauthenticated exploitation via crafted HTTP request for DoS impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates identification, reporting, and timely remediation of the use-after-free flaw in the Monkey web server's mk_string_char_search function to prevent exploitation.
Implements memory protection mechanisms such as address space layout randomization and stack canaries to mitigate use-after-free vulnerabilities exploited by crafted HTTP requests.
Provides denial-of-service protections to limit the impact of service crashes or interruptions caused by the use-after-free triggered by malicious HTTP requests.