CVE-2025-63651 – A use-after-free vulnerability in Monkey web se... (How to Fix)

Q: What is the severity of CVE-2025-63651?

CVE-2025-63651 has a CVSS score of 7.5 (HIGH). A use-after-free vulnerability in Monkey web server's string handling function allows attackers to crash the server by sending specially crafted HTTP requests. This affects all Monkey web server deployments running vulnerable versions, potentially causing service disruption.

📋 TL;DR

A use-after-free vulnerability in Monkey web server's string handling function allows attackers to crash the server by sending specially crafted HTTP requests. This affects all Monkey web server deployments running vulnerable versions, potentially causing service disruption.

💻 Affected Systems

Products:

Monkey web server

Versions: Versions prior to commit f37e984

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable if running affected versions. The vulnerability is triggered by specific HTTP requests.

📦 What is this software?

Monkey by Monkey Project

View all CVEs affecting Monkey →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service with server crash and potential memory corruption that could lead to remote code execution in specific conditions.

🟠

Likely Case

Server crash and service disruption requiring restart, with possible memory leak or instability.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though service interruption may still occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted HTTP requests but no authentication. No public proof-of-concept has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit f37e984 and later

Vendor Advisory: https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md

Restart Required: Yes

Instructions:

1. Update Monkey web server to commit f37e984 or later. 2. Rebuild from source if using source installation. 3. Restart the Monkey service. 4. Verify the fix is applied.

🔧 Temporary Workarounds

Network filtering

all

Implement web application firewall rules to block suspicious HTTP requests

Rate limiting

all

Configure request rate limiting to reduce impact of potential DoS attempts

🧯 If You Can't Patch

Implement network segmentation to isolate Monkey servers from untrusted networks
Deploy monitoring and alerting for server crashes or abnormal HTTP request patterns

🔍 How to Verify

Check if Vulnerable:

Check Monkey version or commit hash against vulnerable versions prior to f37e984

Check Version:

monkey --version or check build/commit information

Verify Fix Applied:

Verify current commit hash includes f37e984 or later, and test with normal HTTP traffic

📡 Detection & Monitoring

Log Indicators:

Server crash logs
Abnormal termination messages
Memory error logs in system logs

Network Indicators:

Unusual HTTP request patterns
Multiple connection attempts with malformed requests

SIEM Query:

source="monkey.log" AND ("crash" OR "segmentation fault" OR "use-after-free")

📊 Metadata

CVE ID: CVE-2025-63651

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-416

EPSS Score: 0.69% exploit probability (71.3th percentile)

Published: January 29, 2026

Last Updated: February 19, 2026

🔗 References

https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md Exploit,Third Party Advisory
https://github.com/monkey/monkey/issues/426 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63651, you might also want to check these: