Cowrie < 2.9.0 Unrestricted wget/curl Emulation Enables SSRF-Based DDoS Amplification
Description
Cowrie versions prior to 2.9.0 contain a server-side request forgery (SSRF) vulnerability in the emulated shell implementation of wget and curl. In the default emulated shell configuration, these command emulations perform real outbound HTTP requests to attacker-supplied destinations. Because no outbound request rate limiting was enforced, unauthenticated remote attackers could repeatedly invoke these commands to generate unbounded HTTP traffic toward arbitrary third-party targets, allowing the Cowrie honeypot to be abused as a denial-of-service amplification node and masking the attacker’s true source address behind the honeypot’s IP.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cowrie honeypots prior to 2.9.0 allow unauthenticated attackers to abuse emulated wget/curl commands for SSRF-driven DDoS amplification against arbitrary targets.
Vulnerability
Overview
Cowrie, an SSH/Telnet honeypot that emulates a UNIX shell, includes emulated implementations of wget and curl commands. In versions prior to 2.9.0, these emulated commands performed real outbound HTTP requests to attacker-supplied destinations supplied by an attacker, with no rate limiting applied [1][2][4]. This server-side request forgery (SSRF) flaw exists in the emulated shell mode allows the honeypot to be used as an amplification node for denial-of-service attacks.
Exploitation and
Attack Surface
An unauthenticated remote attacker connecting via SSH or Telnet can repeatedly issue wget or curl commands targeting arbitrary third-party hosts [1][2]. Because the honeypot performs real HTTP requests from its own IP address, the attacker can generate unbounded traffic toward a victim while masking their true source [4]. The default emulated shell configuration makes every Cowrie instance vulnerable out of the box. Real-world exploitation has been observed in the wild, with automated sessions issuing thousands of such requests [1][4].
Impact
Successful exploitation enables an attacker to amplify HTTP-based DDoS attacks. The honeypot becomes an unwitting participant, generating continuous outbound traffic that can overwhelm a victim host. Additionally, the attacker's identity is concealed behind the honeypot's IP address, complicating attribution and mitigation [2][4].
Mitigation
The vulnerability is fixed in Cowrie version 2.9.0, which introduces rate limiting for outbound requests from command emulations [2][4]. Operators are strongly advised to update their installations. No workarounds are documented; running in proxy or LLM mode may reduce exposure but is not an explicit vendor-recommended mitigation [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cowriePyPI | < 2.9.0 | 2.9.0 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/cowrie/cowrie/pull/2800ghsapatchWEB
- github.com/cowrie/cowrie/releases/tag/v2.9.0ghsarelease-notespatchWEB
- github.com/advisories/GHSA-83jg-m2pm-4jxjghsavendor-advisoryADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-34469ghsaADVISORY
- www.vulncheck.com/advisories/cowrie-unrestricted-wget-curl-emulation-enables-ssrf-based-ddos-amplificationghsathird-party-advisoryWEB
- github.com/cowrie/cowrie/issues/2622ghsaissue-trackingWEB
- github.com/cowrie/cowrie/security/advisories/GHSA-83jg-m2pm-4jxjghsaWEB
- www.cve.org/cverecordghsaWEB
News mentions
0No linked articles in our index yet.