CVE-2025-63657 – An out-of-bounds read vulnerability in Monkey w... (How to Fix)

Q: What is the severity of CVE-2025-63657?

CVE-2025-63657 has a CVSS score of 7.5 (HIGH). An out-of-bounds read vulnerability in Monkey web server's mk_mimetype_find function allows attackers to cause denial of service by sending specially crafted HTTP requests. This affects Monkey web server deployments using vulnerable versions. Attackers can crash the server without authentication.

📋 TL;DR

An out-of-bounds read vulnerability in Monkey web server's mk_mimetype_find function allows attackers to cause denial of service by sending specially crafted HTTP requests. This affects Monkey web server deployments using vulnerable versions. Attackers can crash the server without authentication.

💻 Affected Systems

Products:

Monkey web server

Versions: Versions up to and including commit f37e984

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: All Monkey server deployments using vulnerable code are affected regardless of configuration.

📦 What is this software?

Monkey by Monkey Project

View all CVEs affecting Monkey →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server crash leading to sustained denial of service, potentially requiring manual restart and causing extended downtime.

🟠

Likely Case

Server process crashes when receiving malicious requests, causing temporary service disruption until automatic or manual restart.

🟢

If Mitigated

With proper network segmentation and request filtering, impact is limited to isolated service restarts with minimal business disruption.

🌐 Internet-Facing: HIGH - Directly accessible servers can be targeted by any internet user with simple HTTP requests.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access to the server.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted HTTP requests, which is straightforward for attackers with basic networking knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit f37e984

Vendor Advisory: https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md

Restart Required: Yes

Instructions:

1. Update Monkey server to version after commit f37e984. 2. Stop the Monkey server service. 3. Install updated version. 4. Restart the Monkey server service.

🔧 Temporary Workarounds

Request Filtering

all

Implement web application firewall or reverse proxy to filter suspicious HTTP requests

Network Segmentation

linux

Restrict access to Monkey server to trusted networks only

iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Implement rate limiting to prevent mass exploitation attempts
Deploy behind reverse proxy with request validation and filtering

🔍 How to Verify

Check if Vulnerable:

Check Monkey server version or commit hash against vulnerable range (up to commit f37e984)

Check Version:

monkey --version or check commit hash in source/build

Verify Fix Applied:

Verify installed version is after commit f37e984 and test with sample requests

📡 Detection & Monitoring

Log Indicators:

Server crash logs
Unexpected process termination
Error messages mentioning mimetype or out-of-bounds

Network Indicators:

Unusual HTTP requests with crafted headers or paths
Multiple connection attempts followed by service unavailability

SIEM Query:

source="monkey.log" AND ("crash" OR "segmentation fault" OR "out of bounds")

📊 Metadata

CVE ID: CVE-2025-63657

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-125

EPSS Score: 0.8% exploit probability (73.6th percentile)

Published: January 29, 2026

Last Updated: February 13, 2026

🔗 References

https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md Exploit,Third Party Advisory
https://github.com/monkey/monkey/issues/426 Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63657, you might also want to check these: