CVE-2025-63657

HighPublic PoC

Published: 29 January 2026

Published

29 January 2026

Modified

13 February 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0097 76.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63657 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Monkey-Project Monkey. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation, directly addressing this CVE by applying patches documented in the Monkey GitHub issue and Archer Security advisory to fix the out-of-bounds read.

SI-10 Information Input Validation good match

prevent

SI-10 mandates input validation for HTTP requests, preventing crafted MIME type inputs from triggering the out-of-bounds read in mk_mimetype_find.

SC-5 Denial-of-service Protection good match

prevent

SC-5 provides denial-of-service protection mechanisms to limit the impact of application crashes caused by the out-of-bounds read vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

OOB read in public-facing Monkey web server directly enables remote unauthenticated DoS via crafted HTTP request (T1190 for initial exploitation of public app; T1499.004 for resulting application crash via exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An out-of-bounds read in the mk_mimetype_find function (mk_server/mk_mimetype.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.

Deeper analysisAI

CVE-2025-63657 is an out-of-bounds read vulnerability (CWE-125) in the mk_mimetype_find function within mk_server/mk_mimetype.c of the Monkey web server at commit f37e984. Published on 2026-01-29, this flaw affects instances of Monkey running the specified code version, enabling attackers to trigger a denial of service through malformed inputs.

Remote attackers can exploit this vulnerability over the network with low complexity and no authentication or user interaction required, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By sending a crafted HTTP request to the server, an attacker causes an out-of-bounds read, resulting in application crashes and temporary denial of service without impacting confidentiality or integrity.

Mitigation details and patches are documented in advisories including the Archer Security advisory at https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md and Monkey GitHub issue #426 at https://github.com/monkey/monkey/issues/426. Security practitioners should consult these resources for upgrade guidance or workarounds.

Details

CWE(s): CWE-125

Affected Products

monkey-project

monkey

≤ 1.8.5

CVEs Like This One

CVE-2025-63649Same product: Monkey-Project Monkey

CVE-2025-63650Same product: Monkey-Project Monkey

CVE-2025-63656Same product: Monkey-Project Monkey

CVE-2025-63653Same product: Monkey-Project Monkey

CVE-2025-63655Same product: Monkey-Project Monkey

CVE-2025-63658Same product: Monkey-Project Monkey

CVE-2025-63652Same product: Monkey-Project Monkey

CVE-2025-63651Same product: Monkey-Project Monkey

CVE-2026-3622Shared CWE-125

CVE-2026-32319Shared CWE-125

References

https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md
Exploit, Third Party Advisory · cve@mitre.org
https://github.com/monkey/monkey/issues/426
Exploit · cve@mitre.org