MidnightBSD

Advisories for monkey-project

CVE-2002-1663 MEDIUM

The Post_Method function in method.c for Monkey HTTP Daemon before 0.5.1 allows remote attackers to cause a denial of service (crash) via a POST request with an invalid or missing Content-Length header value.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
monkey-project monkey *
CVE-2002-1852 MEDIUM

Cross-site scripting (XSS) vulnerability in Monkey 0.5.0 allows remote attackers to inject arbitrary web script or HTML via (1) the URL or (2) a parameter to test2.pl.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
monkey-project monkey 0.5.0
CVE-2002-2154 MEDIUM

Directory traversal vulnerability in Monkey HTTP Daemon 0.1.4 allows remote attackers to read arbitrary files via .. (dot dot) sequences.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
monkey-project monkey 0.1.4
CVE-2003-0218 HIGH

Buffer overflow in PostMethod() function for Monkey HTTP Daemon (monkeyd) 0.6.1 and earlier allows remote attackers to execute arbitrary code via a POST request with a large body.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
monkey-project monkey *
monkey-project monkey 0.5.2
monkey-project monkey 0.6.0
monkey-project monkey 0.1.1
CVE-2003-1209 MEDIUM

The Post_Method function in Monkey HTTP Daemon before 0.6.2 allows remote attackers to cause a denial of service (crash) via a POST request without a Content-Type header.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
monkey-project monkey *
monkey-project monkey 0.5.2
monkey-project monkey 0.6.0
monkey-project monkey 0.1.1
CVE-2004-0276 MEDIUM

The get_real_string function in Monkey HTTP Daemon (monkeyd) 0.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an HTTP request with a sequence of "%" characters and a missing Host field.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
monkey-project monkey 0.6.2
monkey-project monkey 0.7.0
monkey-project monkey 0.8.0
monkey-project monkey *
monkey-project monkey 0.5.2
monkey-project monkey 0.7.1
monkey-project monkey 0.6.0
monkey-project monkey 0.6.3
monkey-project monkey 0.1.1
monkey-project monkey 0.6.1
monkey-project monkey 0.7.2
CVE-2005-1122 HIGH

Format string vulnerability in cgi.c for Monkey daemon (monkeyd) before 0.9.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an HTTP GET request containing double-encoded format string specifiers (aka "double expansion error").

CVSS 2.0

Severity: HIGH

Problem Type: CWE-134,

Products Affected

Vendor Product Version
monkey-project monkey 0.7.0
monkey-project monkey 0.8.0
monkey-project monkey 0.5.2
monkey-project monkey 0.6.0
monkey-project monkey 0.8.3
monkey-project monkey 0.8.4
monkey-project monkey 0.1.1
monkey-project monkey 0.7.2
monkey-project monkey 0.8.5
monkey-project monkey 0.8.1
monkey-project monkey 0.6.2
monkey-project monkey *
monkey-project monkey 0.7.1
monkey-project monkey 0.6.3
monkey-project monkey 0.8.2
monkey-project monkey 0.6.1
CVE-2005-1123 MEDIUM

Monkey daemon (monkeyd) before 0.9.1 allows remote attackers to cause a denial of service (memory corruption) via a request for a zero byte file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
monkey-project monkey 0.7.0
monkey-project monkey 0.8.0
monkey-project monkey 0.5.2
monkey-project monkey 0.6.0
monkey-project monkey 0.8.3
monkey-project monkey 0.8.4
monkey-project monkey 0.1.1
monkey-project monkey 0.7.2
monkey-project monkey 0.8.5
monkey-project monkey 0.8.1
monkey-project monkey 0.6.2
monkey-project monkey *
monkey-project monkey 0.7.1
monkey-project monkey 0.6.3
monkey-project monkey 0.8.2
monkey-project monkey 0.6.1
CVE-2013-1771 MEDIUM

The web server Monkeyd produces a world-readable log (/var/log/monkeyd/master.log) on gentoo.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-532,

Products Affected

Vendor Product Version
monkey-project monkey -
CVE-2013-2159 HIGH

Monkey HTTP Daemon: broken user name authentication

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
monkey-project monkey 1.2.1
CVE-2013-2163 MEDIUM

Monkey HTTP Daemon (monkeyd) before 1.2.2 allows remote attackers to cause a denial of service (infinite loop) via an offset equal to the file size in the Range HTTP header.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
monkey-project monkey *
monkey-project monkey 1.2.0
CVE-2013-2181 MEDIUM

Cross-site scripting (XSS) vulnerability in the Directory Listing plugin in Monkey HTTP Daemon (monkeyd) 1.2.2 allows attackers to inject arbitrary web script or HTML via a file name.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
monkey-project monkey 1.2.2
CVE-2013-2182 MEDIUM

The Mandril security plugin in Monkey HTTP Daemon (monkeyd) before 1.5.0 allows remote attackers to bypass access restrictions via a crafted URI, as demonstrated by an encoded forward slash.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
monkey-project monkey *
CVE-2013-2183 LOW

Monkey HTTP Daemon has local security bypass

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 1.8 5.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-668,

Products Affected

Vendor Product Version
monkey-project monkey -
CVE-2013-3724 MEDIUM

The mk_request_header_process function in mk_request.c in Monkey 1.1.1 allows remote attackers to cause a denial of service (thread crash and service outage) via a '\0' character in an HTTP request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
monkey-project monkey 1.1.1
CVE-2013-3843 MEDIUM

Stack-based buffer overflow in the mk_request_header_process function in mk_request.c in Monkey HTTP Daemon (monkeyd) before 1.2.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted HTTP header.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
monkey-project monkey *
CVE-2014-5336 MEDIUM

Monkey HTTP Server before 1.5.3, when the File Descriptor Table (FDT) is enabled and custom error messages are set, allows remote attackers to cause a denial of service (file descriptor consumption) via an HTTP request that triggers an error message.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
monkey-project monkey 0.20.3
monkey-project monkey 0.32.0
monkey-project monkey 0.5.2
monkey-project monkey 0.13.2
monkey-project monkey 0.6.0
monkey-project monkey 0.9.0
monkey-project monkey 1.4.0
monkey-project monkey 0.21.0
monkey-project monkey 0.1.1
monkey-project monkey 0.10.1
monkey-project monkey 1.0.0
monkey-project monkey 0.6.2
monkey-project monkey 1.1.1
monkey-project monkey 1.5.3
monkey-project monkey 0.11.0
monkey-project monkey 0.12.2
monkey-project monkey 0.9.1
monkey-project monkey 1.5.0
monkey-project monkey 0.8.5
monkey-project monkey 0.13.0
monkey-project monkey 0.8.1
monkey-project monkey 0.9.3
monkey-project monkey 0.10.0
monkey-project monkey 0.13.1
monkey-project monkey 0.20.1
monkey-project monkey 0.6.1
monkey-project monkey 1.5.1
monkey-project monkey 0.10.3
monkey-project monkey 0.7.0
monkey-project monkey 0.8.3
monkey-project monkey 0.8.4
monkey-project monkey 1.2.2
monkey-project monkey 0.12.0
monkey-project monkey 0.20.0
monkey-project monkey 0.7.2
monkey-project monkey 0.10.2
monkey-project monkey 1.0.1
monkey-project monkey 0.9.2
monkey-project monkey 0.12.1
monkey-project monkey 0.20.2
monkey-project monkey 1.1.0
monkey-project monkey 0.6.3
monkey-project monkey 0.8.0
monkey-project monkey 0.31.0
monkey-project monkey 0.11.1
monkey-project monkey 1.2.0
monkey-project monkey 0.33.0
monkey-project monkey 1.2.1
monkey-project monkey 0.5.0
monkey-project monkey 0.30.0
monkey-project monkey *
monkey-project monkey 0.7.1
monkey-project monkey 0.1.4
monkey-project monkey 0.5.1
monkey-project monkey 0.8.2
CVE-2025-63649

An out-of-bounds read in the http_parser_transfer_encoding_chunked function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted POST request to the server.

Products Affected

Vendor Product Version
monkey-project monkey *
CVE-2025-63650

An out-of-bounds read in the mk_ptr_to_buf in mk_core function (mk_memory.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.

Products Affected

Vendor Product Version
monkey-project monkey *
CVE-2025-63651

A use-after-free in the mk_string_char_search function (mk_core/mk_string.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.

Products Affected

Vendor Product Version
monkey-project monkey *
CVE-2025-63652

A use-after-free in the mk_http_request_end function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.

Products Affected

Vendor Product Version
monkey-project monkey *
CVE-2025-63653

An out-of-bounds read in the mk_vhost_fdt_close function (mk_server/mk_vhost.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.

Products Affected

Vendor Product Version
monkey-project monkey *
CVE-2025-63655

A NULL pointer dereference in the mk_http_range_parse function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.

Products Affected

Vendor Product Version
monkey-project monkey *
CVE-2025-63656

An out-of-bounds read in the header_cmp function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.

Products Affected

Vendor Product Version
monkey-project monkey *
CVE-2025-63657

An out-of-bounds read in the mk_mimetype_find function (mk_server/mk_mimetype.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.

Products Affected

Vendor Product Version
monkey-project monkey *
CVE-2025-63658

A stack overflow in the mk_http_index_lookup function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server.

Products Affected

Vendor Product Version
monkey-project monkey *