Cyber Posture

CVE-2025-63653

HighPublic PoC

Published: 29 January 2026

Published
29 January 2026
Modified
13 February 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0097 76.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63653 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Monkey-Project Monkey. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 23.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the out-of-bounds read vulnerability in Monkey web server by identifying, prioritizing, and applying patches or updates from the vendor.

SC-5 Denial-of-service Protection good match
prevent

Implements denial-of-service protections at system entry points to limit the impact of crafted HTTP requests causing server crashes.

SI-10 Information Input Validation partial match
prevent

Validates HTTP request inputs to the Monkey server to reject crafted requests that could trigger the out-of-bounds read in mk_vhost_fdt_close.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Out-of-bounds read in public-facing Monkey web server directly enables remote application crash via crafted HTTP request, matching Application or System Exploitation for DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An out-of-bounds read in the mk_vhost_fdt_close function (mk_server/mk_vhost.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.

Deeper analysisAI

CVE-2025-63653 is an out-of-bounds read vulnerability (CWE-125) in the mk_vhost_fdt_close function within mk_server/mk_vhost.c of the Monkey web server at commit f37e984. Published on 2026-01-29, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its impact on availability.

Unauthenticated attackers with network access to the vulnerable Monkey server can exploit this flaw by sending a crafted HTTP request, triggering the out-of-bounds read and causing a Denial of Service (DoS). The attack requires low complexity and no user interaction, allowing remote denial of service without affecting confidentiality or integrity.

Advisories and patches are detailed in the Archer Security advisory at https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md and the Monkey GitHub issue at https://github.com/monkey/monkey/issues/426.

Details

CWE(s)
CWE-125

Affected Products

monkey-project
monkey
≤ 1.8.5

CVEs Like This One

CVE-2025-63650Same product: Monkey-Project Monkey
CVE-2025-63657Same product: Monkey-Project Monkey
CVE-2025-63649Same product: Monkey-Project Monkey
CVE-2025-63658Same product: Monkey-Project Monkey
CVE-2025-63652Same product: Monkey-Project Monkey
CVE-2025-63656Same product: Monkey-Project Monkey
CVE-2025-63655Same product: Monkey-Project Monkey
CVE-2025-63651Same product: Monkey-Project Monkey
CVE-2025-0612Shared CWE-125
CVE-2026-25942Shared CWE-125

References