CVE-2025-63655 is a vulnerability identified in the Monkey HTTP server, specifically within the mk_http_range_parse function located in the mk_server/mk_http.c source file. The flaw is a NULL pointer dereference (CWE-476), which occurs when the function improperly handles crafted HTTP Range headers. When an attacker sends a maliciously crafted HTTP request containing a malformed Range header, the server attempts to dereference a NULL pointer, causing the process to crash and resulting in a Denial of Service (DoS). This vulnerability does not require any privileges or user interaction, making it remotely exploitable over the network. The CVSS v3.1 base score is 7.5 (high severity), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network attack vector, low attack complexity, no privileges or user interaction required, unchanged scope, no impact on confidentiality or integrity, but high impact on availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved in late 2025 and published in early 2026, suggesting recent discovery and disclosure. The Monkey HTTP server is a lightweight web server used in embedded systems and some Linux environments, which may limit the affected population but still poses risk to those deployments. The primary risk is service disruption due to server crashes, which can impact availability of web services relying on Monkey.

For European organizations, the primary impact of CVE-2025-63655 is the potential for Denial of Service attacks against web servers running Monkey HTTP server software. This can lead to unavailability of critical web services, affecting business operations, customer access, and potentially causing reputational damage. Sectors such as telecommunications, embedded device manufacturers, and niche web hosting providers using Monkey could be particularly vulnerable. The lack of confidentiality or integrity impact means data breaches are unlikely, but service outages can disrupt operations and lead to financial losses. Given the ease of exploitation without authentication or user interaction, attackers can remotely trigger crashes at scale, potentially amplifying the impact. European organizations with public-facing web infrastructure or embedded devices running Monkey are at risk of targeted or opportunistic DoS attacks. This could also affect supply chains if embedded devices with Monkey servers are used in industrial or critical infrastructure contexts.

1. Monitor official Monkey HTTP server repositories and security advisories for patches addressing CVE-2025-63655 and apply them promptly once available. 2. In the absence of patches, implement network-level filtering or Web Application Firewall (WAF) rules to detect and block suspicious or malformed HTTP Range headers that could trigger the vulnerability. 3. Employ rate limiting on HTTP requests to reduce the risk of DoS attacks exploiting this flaw. 4. Conduct regular log analysis to identify anomalous HTTP requests targeting the Range header parsing. 5. Consider isolating or segmenting systems running Monkey servers to limit exposure to untrusted networks. 6. For embedded devices using Monkey, coordinate with vendors for firmware updates or mitigations. 7. Implement redundancy and failover mechanisms for critical services to maintain availability in case of DoS events. 8. Educate security teams about this vulnerability to ensure rapid detection and response.