Pandoc SSRF Vulnerability Exploited to Target AWS IMDS and Steal EC2 IAM Credentials
Summary
Hide ▲
Show ▼
A security flaw in Pandoc (CVE-2025-51591) is being exploited in the wild to target AWS Instance Metadata Service (IMDS). Attackers are using Server-Side Request Forgery (SSRF) to steal EC2 IAM credentials from vulnerable web applications running on AWS EC2 instances. The vulnerability allows attackers to inject malicious HTML iframe elements, potentially leading to unauthorized access to AWS services. The exploitation attempts were observed from August 2025 and continued for several weeks. The issue is mitigated by using IMDSv2, which requires a token for all requests, and by enforcing the principle of least privilege (PoLP) on EC2 instances. The vulnerability in Pandoc arises from its rendering of <iframe> tags in HTML documents. Attackers can craft <iframe> elements to target the AWS IMDS endpoint, exfiltrating sensitive metadata. The exploitation attempts were unsuccessful due to the enforcement of IMDSv2, which mitigates SSRF attacks by requiring a token for all requests.
Timeline
-
24.09.2025 10:15 1 articles · 5d ago
Pandoc SSRF Vulnerability Exploited to Target AWS IMDS
From August 2025, attackers exploited a Pandoc SSRF vulnerability (CVE-2025-51591) to target AWS IMDS and steal EC2 IAM credentials. The exploitation attempts were unsuccessful due to the enforcement of IMDSv2, which mitigates SSRF attacks by requiring a token for all requests. Organizations are advised to enforce IMDSv2 and follow the principle of least privilege on EC2 instances.
Show sources
- Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials — thehackernews.com — 24.09.2025 10:15
Information Snippets
-
Pandoc vulnerability CVE-2025-51591 allows SSRF attacks via crafted HTML iframe elements.
First reported: 24.09.2025 10:151 source, 1 articleShow sources
- Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials — thehackernews.com — 24.09.2025 10:15
-
Attackers target AWS IMDS to steal EC2 IAM credentials using SSRF vulnerabilities.
First reported: 24.09.2025 10:151 source, 1 articleShow sources
- Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials — thehackernews.com — 24.09.2025 10:15
-
The exploitation attempts were observed from August 2025 and continued for several weeks.
First reported: 24.09.2025 10:151 source, 1 articleShow sources
- Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials — thehackernews.com — 24.09.2025 10:15
-
IMDSv2 mitigates SSRF attacks by requiring a token for all requests.
First reported: 24.09.2025 10:151 source, 1 articleShow sources
- Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials — thehackernews.com — 24.09.2025 10:15
-
Organizations are advised to enforce IMDSv2 and follow the principle of least privilege (PoLP) on EC2 instances.
First reported: 24.09.2025 10:151 source, 1 articleShow sources
- Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials — thehackernews.com — 24.09.2025 10:15
-
Pandoc maintainers recommend using the "-f html+raw_html" or "--sandbox" options to prevent iframe exploitation.
First reported: 24.09.2025 10:151 source, 1 articleShow sources
- Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials — thehackernews.com — 24.09.2025 10:15
Similar Happenings
Critical deserialization flaw in GoAnywhere MFT (CVE-2025-10035) patched
Fortra has disclosed and patched a critical deserialization vulnerability (CVE-2025-10035) in GoAnywhere Managed File Transfer (MFT) software. This flaw, rated 10.0 on the CVSS scale, allows for arbitrary command execution if the system is publicly accessible over the internet. The vulnerability was actively exploited in the wild as early as September 10, 2025, a week before public disclosure. Fortra has released patches in versions 7.8.4 and 7.6.3. The flaw impacts the same license code path as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023, including LockBit. The vulnerability was discovered during a security check on September 11, 2025. Fortra advised customers to review configurations immediately and remove public access from the Admin Console. The Shadowserver Foundation is monitoring over 470 GoAnywhere MFT instances, but the number of patched instances is unknown. The flaw is highly dependent on systems being externally exposed to the internet. The exploitation sequence involved creating a backdoor account and uploading additional payloads, originating from an IP address flagged for brute-force attacks.