CVE-2025-63653
Published: 29 January 2026
Summary
CVE-2025-63653 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Monkey-Project Monkey. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 19.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-63653 is an out-of-bounds read vulnerability in the mk_vhost_fdt_close function located in mk_server/mk_vhost.c of the Monkey web server at commit f37e984. The flaw is classified under CWE-125 and carries a CVSS 3.1 score of 7.5, reflecting network attack vector, low complexity, and no required privileges or user interaction, with the primary impact being high availability degradation.
An unauthenticated remote attacker can trigger the condition by sending a specially crafted HTTP request to the server, resulting in a denial-of-service condition. The EPSS score remains flat at 0.0131 with no material increase observed after disclosure.
The referenced GitHub advisory and issue tracker entry provide further technical details on the affected code path but do not include explicit patch or mitigation guidance in the supplied information. No evidence of active real-world exploitation is present in the given data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206526
Vulnerability details
An out-of-bounds read in the mk_vhost_fdt_close function (mk_server/mk_vhost.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read in public-facing Monkey web server directly enables remote application crash via crafted HTTP request, matching Application or System Exploitation for DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the out-of-bounds read vulnerability in Monkey web server by identifying, prioritizing, and applying patches or updates from the vendor.
Implements denial-of-service protections at system entry points to limit the impact of crafted HTTP requests causing server crashes.
Validates HTTP request inputs to the Monkey server to reject crafted requests that could trigger the out-of-bounds read in mk_vhost_fdt_close.