Scan free
HIGHCVE-2025-34469CVSS 8.3

CVE-2025-34469: SSRF in Cowrie Honeypot

Platform

python

Component

cowrie

Fixed in

2.9.0

2.9.0

AI Confidence: highNVDEPSS 0.2%Reviewed: May 2026
View on NVD
Save

CVE-2025-34469 describes a Server-Side Request Forgery (SSRF) vulnerability found in Cowrie, a popular SSH and Telnet honeypot. This flaw allows unauthenticated attackers to leverage Cowrie's emulated shell mode to amplify HTTP-based denial-of-service (DoS) attacks against external targets. The vulnerability impacts versions of Cowrie up to 2.8.1, and a fix is available in version 2.9.0.

Python

Detect this CVE in your project

Upload your requirements.txt file and we'll tell you instantly if you're affected.

Upload requirements.txtSupported formats: requirements.txt · Pipfile.lock

Impact and Attack Scenarios

The SSRF vulnerability in Cowrie's emulated shell mode presents a significant risk for DoS amplification. Attackers can craft malicious commands using wget or curl within the emulated shell, causing Cowrie to make outbound HTTP requests to arbitrary third-party hosts. Because Cowrie operates as a honeypot, it often has a public-facing IP address, making it an attractive target for attackers seeking to amplify their DoS attacks. This can lead to service disruptions and resource exhaustion for the targeted hosts, potentially impacting critical infrastructure or online services. The lack of authentication required to exploit this vulnerability further exacerbates the risk, as any unauthenticated user can potentially launch attacks.

Exploitation Context

CVE-2025-34469 was publicly disclosed on December 20, 2025. The vulnerability's ease of exploitation and the potential for DoS amplification suggest a medium probability of exploitation. No public proof-of-concept (PoC) code has been publicly released as of the disclosure date, but the SSRF nature of the vulnerability makes it likely that PoCs will emerge. It is not currently listed on CISA KEV.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.19% (41% percentile)

CISA SSVC

Exploitationpoc
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L8.3HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentcowrie
Vendorosv
Affected rangeFixed in
0 – 2.9.02.9.0
2.9.0

Weakness Classification (CWE)

CWE-918

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Patched -22 days after disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2025-34469 is to upgrade Cowrie to version 2.9.0 or later, which includes the fix for the SSRF vulnerability. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Restricting outbound network access from the Cowrie honeypot to only essential services can limit the potential for abuse. Implementing a Web Application Firewall (WAF) or proxy with strict outbound filtering rules can also help prevent malicious HTTP requests. Monitoring Cowrie's logs for unusual outbound traffic patterns is crucial for early detection of potential attacks. After upgrading, confirm the fix by attempting to execute wget or curl commands within the emulated shell and verifying that the requests are properly blocked.

How to fix

Update Cowrie to version 2.9.0 or later. This version fixes the SSRF vulnerability by implementing rate limiting for outgoing requests and preventing DDoS amplification.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-34469 — SSRF in Cowrie Honeypot?

CVE-2025-34469 is a Server-Side Request Forgery vulnerability in Cowrie honeypots versions 2.8.1 and earlier, allowing attackers to launch DoS attacks.

Am I affected by CVE-2025-34469 in Cowrie Honeypot?

If you are running Cowrie version 2.8.1 or earlier, you are affected by this vulnerability and should upgrade immediately.

How do I fix CVE-2025-34469 in Cowrie Honeypot?

Upgrade Cowrie to version 2.9.0 or later to resolve the SSRF vulnerability. Consider temporary workarounds like restricting outbound network access if an upgrade is not immediately possible.

Is CVE-2025-34469 being actively exploited?

While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for exploitation, and monitoring is recommended.

Where can I find the official Cowrie advisory for CVE-2025-34469?

Refer to the Cowrie project's official website and security advisories for the latest information and updates regarding CVE-2025-34469.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs