CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Pandoc SSRF Vulnerability Exploited to Target AWS IMDS and Steal EC2 IAM Credentials

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A security flaw in Pandoc (CVE-2025-51591) is being exploited in the wild to target AWS Instance Metadata Service (IMDS). Attackers are using Server-Side Request Forgery (SSRF) to steal EC2 IAM credentials from vulnerable web applications running on AWS EC2 instances. The vulnerability allows attackers to inject malicious HTML iframe elements, potentially leading to unauthorized access to AWS services. The exploitation attempts were observed from August 2025 and continued for several weeks. The issue is mitigated by using IMDSv2, which requires a token for all requests, and by enforcing the principle of least privilege (PoLP) on EC2 instances. The vulnerability in Pandoc arises from its rendering of <iframe> tags in HTML documents. Attackers can craft <iframe> elements to target the AWS IMDS endpoint, exfiltrating sensitive metadata. The exploitation attempts were unsuccessful due to the enforcement of IMDSv2, which mitigates SSRF attacks by requiring a token for all requests.

Timeline

  1. 24.09.2025 10:15 1 articles · 5d ago

    Pandoc SSRF Vulnerability Exploited to Target AWS IMDS

    From August 2025, attackers exploited a Pandoc SSRF vulnerability (CVE-2025-51591) to target AWS IMDS and steal EC2 IAM credentials. The exploitation attempts were unsuccessful due to the enforcement of IMDSv2, which mitigates SSRF attacks by requiring a token for all requests. Organizations are advised to enforce IMDSv2 and follow the principle of least privilege on EC2 instances.

    Show sources

Information Snippets

Similar Happenings

Critical deserialization flaw in GoAnywhere MFT (CVE-2025-10035) patched

Fortra has disclosed and patched a critical deserialization vulnerability (CVE-2025-10035) in GoAnywhere Managed File Transfer (MFT) software. This flaw, rated 10.0 on the CVSS scale, allows for arbitrary command execution if the system is publicly accessible over the internet. The vulnerability was actively exploited in the wild as early as September 10, 2025, a week before public disclosure. Fortra has released patches in versions 7.8.4 and 7.6.3. The flaw impacts the same license code path as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023, including LockBit. The vulnerability was discovered during a security check on September 11, 2025. Fortra advised customers to review configurations immediately and remove public access from the Admin Console. The Shadowserver Foundation is monitoring over 470 GoAnywhere MFT instances, but the number of patched instances is unknown. The flaw is highly dependent on systems being externally exposed to the internet. The exploitation sequence involved creating a backdoor account and uploading additional payloads, originating from an IP address flagged for brute-force attacks.