Cyber Resilience

CVE-2025-63655

HighPublic PoC

Published: 29 January 2026

Published
29 January 2026
Modified
13 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0129 80.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63655 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Monkey-Project Monkey. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

A NULL pointer dereference vulnerability exists in the mk_http_range_parse function located in mk_server/mk_http.c of the Monkey web server at commit f37e984. Tracked as CVE-2025-63655 and assigned CWE-476, the flaw is reachable over the network and carries a CVSS 3.1 score of 7.5, reflecting high impact to availability with no requirements for authentication or user interaction.

An unauthenticated remote attacker can trigger the defect by sending a crafted HTTP request containing a malicious Range header, causing the server process to dereference a NULL pointer and terminate, resulting in a denial-of-service condition.

Public references to the issue are available in a security advisory and the project's issue tracker, though no specific mitigation steps or patch details are provided in the current disclosure. The associated EPSS score remains low and unchanged at 0.0129, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

A NULL pointer dereference in the mk_http_range_parse function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

NULL dereference in public HTTP server enables unauthenticated remote DoS via application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-63649Same product: Monkey-Project Monkey
CVE-2025-63657Same product: Monkey-Project Monkey
CVE-2025-63652Same product: Monkey-Project Monkey
CVE-2025-63653Same product: Monkey-Project Monkey
CVE-2025-63656Same product: Monkey-Project Monkey
CVE-2025-63651Same product: Monkey-Project Monkey
CVE-2025-63658Same product: Monkey-Project Monkey
CVE-2025-63650Same product: Monkey-Project Monkey
CVE-2026-32696Shared CWE-476
CVE-2024-24442Shared CWE-476

Affected Assets

monkey-project
monkey
≤ 1.8.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the NULL pointer dereference flaw in mk_http_range_parse by identifying, reporting, and correcting vulnerabilities in the Monkey HTTP server.

preventdetect

Implements denial-of-service protections to identify and resist crafted HTTP requests that trigger server crashes in vulnerable Monkey instances.

prevent

Ensures robust error handling to prevent NULL pointer dereferences and subsequent DoS crashes during HTTP range parsing.

References