6.9

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-34469

CVE-2025-34469: Cowrie < 2.9.0 Unrestricted wget/curl Emulation Enables SSRF-Based DDoS Amplification

Cowrie versions prior to 2.9.0 contain a server-side request forgery (SSRF) vulnerability in the emulated shell implementation of wget and curl. In the default emulated shell configuration, these command emulations perform real outbound HTTP requests to attacker-supplied destinations. Because no outbound request rate limiting was enforced, unauthenticated remote attackers could repeatedly invoke these commands to generate unbounded HTTP traffic toward arbitrary third-party targets, allowing the Cowrie honeypot to be abused as a denial-of-service amplification node and masking the attacker’s true source address behind the honeypot’s IP.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-34469

CVE-2025-34469:

6.9

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
cowrie	pip	< 2.9.0	2.9.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Server-Side Request Forgery (SSRF) in Cowrie's emulated wget and curl commands, which allowed attackers to use the honeypot as an amplification vector for DDoS attacks. The root cause was the absence of rate limiting on outbound requests initiated by these commands.

The analysis of the provided patch (PR #2800) confirms this. The fix introduces a RateLimiter class and integrates it into the start methods of the Command_wget and Command_curl classes. These start methods are the main entry points for handling the respective shell commands.

Before the patch, these functions would parse a user-supplied URL and proceed to make network requests without any checks on the frequency of these requests to a given destination. An attacker could exploit this by sending a high volume of wget or curl commands, turning the honeypot into a DDoS tool.

The identified vulnerable functions, Command_wget.start and Command_curl.start, are the precise locations where the lack of control existed. During exploitation, these functions would be invoked for every malicious wget or curl command executed in the honeypot's shell. The patch addresses the vulnerability by adding a rate-limiting check at the beginning of these functions, which now terminate the command with a simulated timeout if the request frequency for a host exceeds a defined threshold.

Vulnerable functions

Command_wget.start

src/cowrie/commands/wget.py

This function serves as the entry point for the emulated `wget` command. Before the patch, it parsed the user-provided URL and initiated a download via `httpDownload` or `ftpDownload` without restricting the number of requests to a specific host. This flaw allowed an attacker to repeatedly execute the command with a target URL, effectively using the honeypot as a proxy for a denial-of-service (DoS) attack. The patch mitigates this by adding a rate-limiting check at the beginning of the function.

Command_curl.start

src/cowrie/commands/curl.py

This function is the entry point for the emulated `curl` command. Similar to the `wget` command, it processed user-supplied URLs and made HTTP requests without any form of rate limiting. This allowed an attacker to abuse the honeypot for DoS attacks. The vulnerability was fixed by introducing a rate-limiting check before any network requests are made.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.9

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-34469: Cowrie < 2.9.0 Unrestricted wget/curl Emulation Enables SSRF-Based DDoS Amplification

CVE-2025-34469:

6.9

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

6.9

6.9

CVE-2025-34469: Cowrie < 2.9.0 Unrestricted wget/curl Emulation Enables SSRF-Based DDoS Amplification

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI