Cyber Resilience

CVE-2025-63656

HighPublic PoC

Published: 29 January 2026

Published
29 January 2026
Modified
13 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0131 80.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63656 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Monkey-Project Monkey. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2025-63656 is an out-of-bounds read vulnerability in the header_cmp function within mk_server/mk_http_parser.c of the Monkey web server at commit f37e984. The flaw is classified under CWE-125 and carries a CVSS 3.1 score of 7.5, reflecting network-accessible exploitation with no required credentials or user interaction that results in high impact to availability.

Unauthenticated remote attackers can trigger the issue by sending a specially crafted HTTP request to the server, causing a denial of service. The attack requires only network connectivity and succeeds against default configurations because the parser does not properly validate header data before the out-of-bounds access occurs.

Public references point to a dedicated security advisory and the upstream GitHub issue for Monkey, though no specific patch details or mitigation steps are described in the available information. The associated EPSS score remains flat at 0.0131 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

An out-of-bounds read in the header_cmp function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Out-of-bounds read in public-facing Monkey web server directly enables remote unauthenticated exploitation via crafted HTTP request, matching T1190 (Exploit Public-Facing Application) for DoS impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-63657Same product: Monkey-Project Monkey
CVE-2025-63649Same product: Monkey-Project Monkey
CVE-2025-63651Same product: Monkey-Project Monkey
CVE-2025-63653Same product: Monkey-Project Monkey
CVE-2025-63650Same product: Monkey-Project Monkey
CVE-2025-63655Same product: Monkey-Project Monkey
CVE-2025-63652Same product: Monkey-Project Monkey
CVE-2025-63658Same product: Monkey-Project Monkey
CVE-2025-55100Shared CWE-125
CVE-2025-54950Shared CWE-125

Affected Assets

monkey-project
monkey
≤ 1.8.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the out-of-bounds read vulnerability in the Monkey web server's header_cmp function by applying patches or upgrading to a fixed version.

prevent

Enforces denial-of-service protections such as rate limiting or traffic filtering to mitigate crashes from crafted HTTP requests exploiting the vulnerability.

prevent

Validates HTTP request inputs, including headers, at the server to block malformed requests that trigger the out-of-bounds read in header_cmp.

References