CVE-2025-63655
Published: 29 January 2026
Summary
CVE-2025-63655 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Monkey-Project Monkey. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the NULL pointer dereference flaw in mk_http_range_parse by identifying, reporting, and correcting vulnerabilities in the Monkey HTTP server.
Implements denial-of-service protections to identify and resist crafted HTTP requests that trigger server crashes in vulnerable Monkey instances.
Ensures robust error handling to prevent NULL pointer dereferences and subsequent DoS crashes during HTTP range parsing.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
NULL dereference in public HTTP server enables unauthenticated remote DoS via application exploitation.
NVD Description
A NULL pointer dereference in the mk_http_range_parse function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.
Deeper analysisAI
CVE-2025-63655 is a NULL pointer dereference vulnerability in the mk_http_range_parse function located in mk_server/mk_http.c of the Monkey HTTP server at commit f37e984. This flaw affects instances of Monkey running that specific commit, allowing attackers to trigger the issue through HTTP request processing. The vulnerability is classified under CWE-476 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for significant availability impact without requiring authentication or user interaction.
Remote attackers can exploit this vulnerability by sending a specially crafted HTTP request to a vulnerable Monkey server, resulting in a denial-of-service condition due to the NULL pointer dereference crash. The attack is network-accessible with low complexity, enabling unauthenticated adversaries to repeatedly target the server and disrupt service availability for legitimate users.
For mitigation details, security practitioners should consult the referenced advisories, including the Archer Security advisory at https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md and the Monkey project issue tracker at https://github.com/monkey/monkey/issues/427, which likely provide patch information or workarounds specific to affected versions.
Details
- CWE(s)