CVE-2025-63652
Published: 29 January 2026
Summary
CVE-2025-63652 is a high-severity Use After Free (CWE-416) vulnerability in Monkey-Project Monkey. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 19.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-63652 is a use-after-free vulnerability in the mk_http_request_end function within mk_server/mk_http.c of the Monkey HTTP server at commit f37e984. The flaw is tracked under CWE-416 and carries a CVSS 3.1 score of 7.5, reflecting network-reachable denial-of-service impact without authentication or user interaction.
An unauthenticated remote attacker can trigger the condition by sending a single crafted HTTP request to the server, resulting in a crash that produces a denial of service. No privileges or special network positioning are required.
The supplied references point to a security advisory and an upstream issue tracker entry, but contain no public details on patches, workarounds, or mitigation steps. The associated EPSS score remains flat at 0.0131 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206527
Vulnerability details
A use-after-free in the mk_http_request_end function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in public HTTP server directly enables remote unauthenticated application crash via crafted request, matching Endpoint DoS via exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly addresses the use-after-free vulnerability in mk_http_request_end by patching the specific Monkey HTTP server code at commit f37e984 to prevent DoS exploitation.
Memory protection techniques such as address space layout randomization and non-executable memory directly mitigate use-after-free errors by preventing unauthorized access to freed memory during crafted HTTP request processing.
Denial-of-service protection limits the availability impact of exploitation attempts via crafted HTTP requests by employing rate limiting and resource throttling on the Monkey HTTP server.