Cyber Resilience

CVE-2025-63657

HighPublic PoC

Published: 29 January 2026

Published
29 January 2026
Modified
13 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0131 80.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63657 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Monkey-Project Monkey. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-63657 is an out-of-bounds read vulnerability in the mk_mimetype_find function located in mk_server/mk_mimetype.c of the Monkey web server at commit f37e984. The flaw is triggered when the server processes a specially crafted HTTP request, resulting in a denial of service. It carries a CVSS 3.1 score of 7.5 reflecting network attack vector, low complexity, and high availability impact, and is associated with CWE-125.

Unauthenticated remote attackers can exploit the issue by sending a malicious HTTP request to an affected Monkey instance. Successful exploitation causes the server to crash or become unresponsive, achieving denial of service without requiring credentials or user interaction.

Public references consist of a security advisory and an associated GitHub issue that provide additional technical context for the flaw. The EPSS score remains flat at 0.0131 with no material increase since disclosure, indicating limited observed exploitation interest.

EU & UK References

Vulnerability details

An out-of-bounds read in the mk_mimetype_find function (mk_server/mk_mimetype.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

OOB read in public-facing Monkey web server directly enables remote unauthenticated DoS via crafted HTTP request (T1190 for initial exploitation of public app; T1499.004 for resulting application crash via exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-63649Same product: Monkey-Project Monkey
CVE-2025-63656Same product: Monkey-Project Monkey
CVE-2025-63653Same product: Monkey-Project Monkey
CVE-2025-63650Same product: Monkey-Project Monkey
CVE-2025-63655Same product: Monkey-Project Monkey
CVE-2025-63651Same product: Monkey-Project Monkey
CVE-2025-63652Same product: Monkey-Project Monkey
CVE-2025-63658Same product: Monkey-Project Monkey
CVE-2026-41604Shared CWE-125
CVE-2026-30997Shared CWE-125

Affected Assets

monkey-project
monkey
≤ 1.8.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation, directly addressing this CVE by applying patches documented in the Monkey GitHub issue and Archer Security advisory to fix the out-of-bounds read.

prevent

SI-10 mandates input validation for HTTP requests, preventing crafted MIME type inputs from triggering the out-of-bounds read in mk_mimetype_find.

prevent

SC-5 provides denial-of-service protection mechanisms to limit the impact of application crashes caused by the out-of-bounds read vulnerability.

References