CVE-2025-63655
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-29

Last updated on: 2026-02-13

Assigner: MITRE

Description
A NULL pointer dereference in the mk_http_range_parse function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-29
Last Modified
2026-02-13
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-63655
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
monkey-project monkey to 1.8.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves a NULL pointer dereference in the mk_http_range_parse function of the Monkey HTTP server. Specifically, if an attacker sends a crafted HTTP request with a malformed Range header (e.g., containing a null character followed by a dash and equal sign in a certain order), it causes the server to dereference a null pointer, leading to a segmentation fault and crashing the server (Denial of Service). [1]

Impact Analysis

The vulnerability can cause a Denial of Service (DoS) by crashing the Monkey HTTP server when it processes a specially crafted HTTP request. This means an attacker can disrupt the availability of the server, making it unavailable to legitimate users. Additionally, related issues in the same codebase may allow for more severe impacts like remote code execution, but this specific vulnerability leads to server crashes. [1]

Detection Guidance

This vulnerability can be detected by monitoring for HTTP requests containing malformed Range headers, specifically those starting with "bytes" followed by a null character and containing a dash before an equal sign (e.g., `Range: bytes\0-=`). Additionally, detection can involve checking for unusually long URLs starting with a slash followed by a null character that exceed 1024 bytes. Commands to detect such attempts could include using network packet capture tools like tcpdump or Wireshark with filters for suspicious Range headers or malformed URLs. For example, using tcpdump: `tcpdump -A -s 0 'tcp port 80 and (((tcp[((tcp[12:1] & 0xf0) >> 2):4]) = 0x52616e67))'` to filter packets containing "Range" headers. However, no specific commands are provided in the resources. [1]

Mitigation Strategies

Immediate mitigation steps include updating the Monkey HTTP server to a version where these vulnerabilities are fixed once available. Until then, consider implementing network-level filtering to block HTTP requests with suspicious Range headers or malformed URLs as described. Additionally, monitoring and restricting incoming HTTP requests to prevent crafted requests that exploit the vulnerability can help reduce risk. No specific mitigation commands or patches are detailed in the resources. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-63655. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart