Monkey
Source repositories
CVEs (29)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2013-3843 | 0.05 | — | 0.20 | Jun 13, 2014 | Stack-based buffer overflow in the mk_request_header_process function in mk_request.c in Monkey HTTP Daemon (monkeyd) before 1.2.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted HTTP header. | |||
| CVE-2013-3724 | 0.04 | — | 0.14 | Aug 1, 2013 | The mk_request_header_process function in mk_request.c in Monkey 1.1.1 allows remote attackers to cause a denial of service (thread crash and service outage) via a '\0' character in an HTTP request. | |||
| CVE-2002-2154 | 0.04 | — | 0.08 | Dec 31, 2002 | Directory traversal vulnerability in Monkey HTTP Daemon 0.1.4 allows remote attackers to read arbitrary files via .. (dot dot) sequences. | |||
| CVE-2004-0276 | 0.03 | — | 0.04 | Nov 23, 2004 | The get_real_string function in Monkey HTTP Daemon (monkeyd) 0.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an HTTP request with a sequence of "%" characters and a missing Host field. | |||
| CVE-2002-1852 | 0.03 | — | 0.03 | Dec 31, 2002 | Cross-site scripting (XSS) vulnerability in Monkey 0.5.0 allows remote attackers to inject arbitrary web script or HTML via (1) the URL or (2) a parameter to test2.pl. | |||
| CVE-2002-1663 | 0.03 | — | 0.04 | Dec 31, 2002 | The Post_Method function in method.c for Monkey HTTP Daemon before 0.5.1 allows remote attackers to cause a denial of service (crash) via a POST request with an invalid or missing Content-Length header value. | |||
| CVE-2025-63650 | 0.00 | — | 0.01 | Jan 29, 2026 | An out-of-bounds read in the mk_ptr_to_buf in mk_core function (mk_memory.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | |||
| CVE-2025-63655 | 0.00 | — | 0.07 | Jan 29, 2026 | A NULL pointer dereference in the mk_http_range_parse function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | |||
| CVE-2025-63653 | 0.00 | — | 0.01 | Jan 29, 2026 | An out-of-bounds read in the mk_vhost_fdt_close function (mk_server/mk_vhost.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | |||
| CVE-2025-63652 | 0.00 | — | 0.01 | Jan 29, 2026 | A use-after-free in the mk_http_request_end function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | |||
| CVE-2025-63658 | 0.00 | — | 0.01 | Jan 29, 2026 | A stack overflow in the mk_http_index_lookup function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | |||
| CVE-2025-63657 | 0.00 | — | 0.01 | Jan 29, 2026 | An out-of-bounds read in the mk_mimetype_find function (mk_server/mk_mimetype.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | |||
| CVE-2025-63651 | 0.00 | — | 0.01 | Jan 29, 2026 | A use-after-free in the mk_string_char_search function (mk_core/mk_string.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | |||
| CVE-2025-63649 | 0.00 | — | 0.01 | Jan 29, 2026 | An out-of-bounds read in the http_parser_transfer_encoding_chunked function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted POST request to the server. | |||
| CVE-2025-63656 | 0.00 | — | 0.01 | Jan 29, 2026 | An out-of-bounds read in the header_cmp function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | |||
| CVE-2013-2183 | 0.00 | — | 0.00 | Dec 10, 2019 | Monkey HTTP Daemon has local security bypass | |||
| CVE-2013-2159 | 0.00 | — | 0.03 | Dec 10, 2019 | Monkey HTTP Daemon: broken user name authentication | |||
| CVE-2013-1771 | 0.00 | — | 0.03 | Nov 7, 2019 | The web server Monkeyd produces a world-readable log (/var/log/monkeyd/master.log) on gentoo. | |||
| CVE-2014-5336 | 0.00 | — | 0.02 | Aug 26, 2014 | Monkey HTTP Server before 1.5.3, when the File Descriptor Table (FDT) is enabled and custom error messages are set, allows remote attackers to cause a denial of service (file descriptor consumption) via an HTTP request that triggers an error message. | |||
| CVE-2013-2182 | 0.00 | — | 0.06 | Jun 13, 2014 | The Mandril security plugin in Monkey HTTP Daemon (monkeyd) before 1.5.0 allows remote attackers to bypass access restrictions via a crafted URI, as demonstrated by an encoded forward slash. |
- CVE-2013-3843Jun 13, 2014risk 0.05cvss —epss 0.20
Stack-based buffer overflow in the mk_request_header_process function in mk_request.c in Monkey HTTP Daemon (monkeyd) before 1.2.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted HTTP header.
- CVE-2013-3724Aug 1, 2013risk 0.04cvss —epss 0.14
The mk_request_header_process function in mk_request.c in Monkey 1.1.1 allows remote attackers to cause a denial of service (thread crash and service outage) via a '\0' character in an HTTP request.
- CVE-2002-2154Dec 31, 2002risk 0.04cvss —epss 0.08
Directory traversal vulnerability in Monkey HTTP Daemon 0.1.4 allows remote attackers to read arbitrary files via .. (dot dot) sequences.
- CVE-2004-0276Nov 23, 2004risk 0.03cvss —epss 0.04
The get_real_string function in Monkey HTTP Daemon (monkeyd) 0.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an HTTP request with a sequence of "%" characters and a missing Host field.
- CVE-2002-1852Dec 31, 2002risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in Monkey 0.5.0 allows remote attackers to inject arbitrary web script or HTML via (1) the URL or (2) a parameter to test2.pl.
- CVE-2002-1663Dec 31, 2002risk 0.03cvss —epss 0.04
The Post_Method function in method.c for Monkey HTTP Daemon before 0.5.1 allows remote attackers to cause a denial of service (crash) via a POST request with an invalid or missing Content-Length header value.
- CVE-2025-63650Jan 29, 2026risk 0.00cvss —epss 0.01
An out-of-bounds read in the mk_ptr_to_buf in mk_core function (mk_memory.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.
- CVE-2025-63655Jan 29, 2026risk 0.00cvss —epss 0.07
A NULL pointer dereference in the mk_http_range_parse function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.
- CVE-2025-63653Jan 29, 2026risk 0.00cvss —epss 0.01
An out-of-bounds read in the mk_vhost_fdt_close function (mk_server/mk_vhost.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.
- CVE-2025-63652Jan 29, 2026risk 0.00cvss —epss 0.01
A use-after-free in the mk_http_request_end function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.
- CVE-2025-63658Jan 29, 2026risk 0.00cvss —epss 0.01
A stack overflow in the mk_http_index_lookup function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.
- CVE-2025-63657Jan 29, 2026risk 0.00cvss —epss 0.01
An out-of-bounds read in the mk_mimetype_find function (mk_server/mk_mimetype.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.
- CVE-2025-63651Jan 29, 2026risk 0.00cvss —epss 0.01
A use-after-free in the mk_string_char_search function (mk_core/mk_string.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.
- CVE-2025-63649Jan 29, 2026risk 0.00cvss —epss 0.01
An out-of-bounds read in the http_parser_transfer_encoding_chunked function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted POST request to the server.
- CVE-2025-63656Jan 29, 2026risk 0.00cvss —epss 0.01
An out-of-bounds read in the header_cmp function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.
- CVE-2013-2183Dec 10, 2019risk 0.00cvss —epss 0.00
Monkey HTTP Daemon has local security bypass
- CVE-2013-2159Dec 10, 2019risk 0.00cvss —epss 0.03
Monkey HTTP Daemon: broken user name authentication
- CVE-2013-1771Nov 7, 2019risk 0.00cvss —epss 0.03
The web server Monkeyd produces a world-readable log (/var/log/monkeyd/master.log) on gentoo.
- CVE-2014-5336Aug 26, 2014risk 0.00cvss —epss 0.02
Monkey HTTP Server before 1.5.3, when the File Descriptor Table (FDT) is enabled and custom error messages are set, allows remote attackers to cause a denial of service (file descriptor consumption) via an HTTP request that triggers an error message.
- CVE-2013-2182Jun 13, 2014risk 0.00cvss —epss 0.06
The Mandril security plugin in Monkey HTTP Daemon (monkeyd) before 1.5.0 allows remote attackers to bypass access restrictions via a crafted URI, as demonstrated by an encoded forward slash.
Page 1 of 2