CVE-2025-63652
Published: 29 January 2026
Summary
CVE-2025-63652 is a high-severity Use After Free (CWE-416) vulnerability in Monkey-Project Monkey. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 23.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly addresses the use-after-free vulnerability in mk_http_request_end by patching the specific Monkey HTTP server code at commit f37e984 to prevent DoS exploitation.
Memory protection techniques such as address space layout randomization and non-executable memory directly mitigate use-after-free errors by preventing unauthorized access to freed memory during crafted HTTP request processing.
Denial-of-service protection limits the availability impact of exploitation attempts via crafted HTTP requests by employing rate limiting and resource throttling on the Monkey HTTP server.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in public HTTP server directly enables remote unauthenticated application crash via crafted request, matching Endpoint DoS via exploitation.
NVD Description
A use-after-free in the mk_http_request_end function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.
Deeper analysisAI
CVE-2025-63652 is a use-after-free vulnerability (CWE-416) in the mk_http_request_end function located in mk_server/mk_http.c of the Monkey HTTP server at commit f37e984. It affects instances of Monkey running that specific version, enabling attackers to trigger the flaw through a crafted HTTP request. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its potential for availability disruption.
Remote, unauthenticated attackers can exploit this vulnerability by sending a specially crafted HTTP request to a vulnerable Monkey server. Successful exploitation leads to a denial-of-service condition, likely causing the server to crash or become unresponsive, without impacting confidentiality or integrity.
Advisories and further details, including potential patches or mitigation guidance, are documented in the referenced sources: the Archer Security advisory at https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md and the Monkey project issue tracker at https://github.com/monkey/monkey/issues/426. Security practitioners should consult these for version-specific remediation steps.
Details
- CWE(s)