Security Advisories of Vulnerabilities in Monkey (2025) This document describes multiple vulnerabilities identified in the Monkey HTTP Server in October 2025. At the time of disclosure, none of the issues have been fixed. CVE-2025-63649 Description: An out-of-bounds read in the function (mk_server/mk_http_parser.c) of Monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted POST request to the server. Affected Versions: Monkey through commit f37e984 Impact: Denial of Service References: Issue discussion: [monkey/monkey#426] Disclosure Timeline: 2025-10: CVE ID requested 2025-10: CVE ID assigned CVE-2025-63650 Description: An out-of-bounds read in the function (mk_core/mk_memory.c) of Monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. Affected Versions: Monkey through commit f37e984 Impact: Denial of Service References: Issue discussion: [monkey/monkey#426] Disclosure Timeline: 2025-10: CVE ID requested 2025-10: CVE ID assigned CVE-2025-63651 Description: A use-after-free in the function (mk_core/mk_string.c) of Monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. Affected Versions: Monkey through commit f37e984 Impact: Denial of Service References: Issue discussion: [monkey/monkey#426] Disclosure Timeline: 2025-10: CVE ID requested 2025-10: CVE ID assigned CVE-2025-63652 Description: A use-after-free in the function (mk_server/mk_http.c) of Monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. Affected Versions: Monkey through commit f37e984 Impact: Denial of Service References: Issue discussion: [monkey/monkey#426] Disclosure Timeline: 2025-10: CVE ID requested 2025-10: CVE ID assigned CVE-2025-63653 Description: An out-of-bounds read in the function (mk_server/mk_vhost.c) of Monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. Affected Versions: Monkey through commit f37e984 Impact: Denial of Service References: Issue discussion: [monkey/monkey#426] Disclosure Timeline: 2025-10: CVE ID requested 2025-10: CVE ID assigned CVE-2025-63655 Description: A NULL pointer dereference in the function (mk_server/mk_http.c) of Monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. Affected Versions: Monkey through commit f37e984 Impact: Denial of Service References: Issue discussion: [monkey/monkey#427] Disclosure Timeline: 2025-10: CVE ID requested 2025-10: CVE ID assigned CVE-2025-63656 Description: An out-of-bounds read in the function (mk_server/mk_http_parser.c) of Monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. Affected Versions: Monkey through commit f37e984 Impact: Denial of Service References: Issue discussion: [monkey/monkey#426] Disclosure Timeline: 2025-10: CVE ID requested 2025-10: CVE ID assigned CVE-2025-63657 Description: An out-of-bounds read in the function (mk_server/mk_mimetype.c) of Monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. Affected Versions: Monkey through commit f37e984 Impact: Denial of Service References: Issue discussion: [monkey/monkey#426] Disclosure Timeline: 2025-10: CVE ID requested 2025-10: CVE ID assigned CVE-2025-63658 Description: A stack overflow in the function (mk_server/mk_http.c) of Monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) or potentially cause a Remote Code Execution via sending a crafted HTTP request to the server. Affected Versions: Monkey through commit f37e984 Impact: Denial of Service Code Execution References: Issue discussion: [monkey/monkey#427] Disclosure Timeline: 2025-10: CVE ID requested 2025-10: CVE ID assigned