Cyber Resilience

CVE-2025-63652

HighPublic PoC

Published: 29 January 2026

Published
29 January 2026
Modified
13 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0131 80.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63652 is a high-severity Use After Free (CWE-416) vulnerability in Monkey-Project Monkey. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 19.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-63652 is a use-after-free vulnerability in the mk_http_request_end function within mk_server/mk_http.c of the Monkey HTTP server at commit f37e984. The flaw is tracked under CWE-416 and carries a CVSS 3.1 score of 7.5, reflecting network-reachable denial-of-service impact without authentication or user interaction.

An unauthenticated remote attacker can trigger the condition by sending a single crafted HTTP request to the server, resulting in a crash that produces a denial of service. No privileges or special network positioning are required.

The supplied references point to a security advisory and an upstream issue tracker entry, but contain no public details on patches, workarounds, or mitigation steps. The associated EPSS score remains flat at 0.0131 with no material increase after disclosure.

EU & UK References

Vulnerability details

A use-after-free in the mk_http_request_end function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Use-after-free in public HTTP server directly enables remote unauthenticated application crash via crafted request, matching Endpoint DoS via exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-63651Same product: Monkey-Project Monkey
CVE-2025-63658Same product: Monkey-Project Monkey
CVE-2025-63653Same product: Monkey-Project Monkey
CVE-2025-63650Same product: Monkey-Project Monkey
CVE-2025-63655Same product: Monkey-Project Monkey
CVE-2025-63657Same product: Monkey-Project Monkey
CVE-2025-63649Same product: Monkey-Project Monkey
CVE-2025-63656Same product: Monkey-Project Monkey
CVE-2026-6759Shared CWE-416
CVE-2026-28799Shared CWE-416

Affected Assets

monkey-project
monkey
≤ 1.8.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly addresses the use-after-free vulnerability in mk_http_request_end by patching the specific Monkey HTTP server code at commit f37e984 to prevent DoS exploitation.

prevent

Memory protection techniques such as address space layout randomization and non-executable memory directly mitigate use-after-free errors by preventing unauthorized access to freed memory during crafted HTTP request processing.

prevent

Denial-of-service protection limits the availability impact of exploitation attempts via crafted HTTP requests by employing rate limiting and resource throttling on the Monkey HTTP server.

References