CVE-2025-63658
Published: 29 January 2026
Summary
CVE-2025-63658 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Monkey-Project Monkey. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 44.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack buffer overflow in public HTTP server directly enables application-layer DoS via crafted request (T1499.004).
NVD Description
A stack overflow in the mk_http_index_lookup function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.
Deeper analysisAI
CVE-2025-63658 is a stack overflow vulnerability in the mk_http_index_lookup function within mk_server/mk_http.c of the Monkey HTTP server at commit f37e984. Published on 2026-01-29, it is classified under CWE-121 (Stack-based Buffer Overflow) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The flaw affects instances of Monkey running the specified commit, enabling attackers to trigger a Denial of Service (DoS) through a crafted HTTP request.
Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By sending a specially crafted HTTP request to the server, attackers can cause a stack overflow, leading to server crashes and high-impact availability disruption, while confidentiality and integrity remain unaffected.
Mitigation details are available in the referenced advisories, including the Archer Security advisory at https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md and the Monkey GitHub issue at https://github.com/monkey/monkey/issues/427.
Details
- CWE(s)