CVE-2025-63656
Published: 29 January 2026
Summary
CVE-2025-63656 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Monkey-Project Monkey. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the out-of-bounds read vulnerability in the Monkey web server's header_cmp function by applying patches or upgrading to a fixed version.
Enforces denial-of-service protections such as rate limiting or traffic filtering to mitigate crashes from crafted HTTP requests exploiting the vulnerability.
Validates HTTP request inputs, including headers, at the server to block malformed requests that trigger the out-of-bounds read in header_cmp.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read in public-facing Monkey web server directly enables remote unauthenticated exploitation via crafted HTTP request, matching T1190 (Exploit Public-Facing Application) for DoS impact.
NVD Description
An out-of-bounds read in the header_cmp function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.
Deeper analysisAI
CVE-2025-63656 is an out-of-bounds read vulnerability (CWE-125) in the header_cmp function within mk_server/mk_http_parser.c of the Monkey web server at commit f37e984. Published on 2026-01-29, it enables attackers to induce a Denial of Service (DoS) by sending a crafted HTTP request to the affected server component. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for significant availability disruption.
Any unauthenticated remote attacker with network access to the Monkey server can exploit this vulnerability by crafting and transmitting a malicious HTTP request, triggering the out-of-bounds read and causing the server to crash or become unresponsive. No user interaction or privileges are required, and exploitation complexity is low, making it accessible to attackers targeting exposed Monkey instances.
Mitigation guidance and additional details are available in the Archer Security advisory at https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md and the Monkey GitHub issue tracker at https://github.com/monkey/monkey/issues/426.
Details
- CWE(s)