Pandoc SSRF Vulnerability Exploited to Target AWS IMDS
Summary
Hide β²
Show βΌ
A Server-Side Request Forgery (SSRF) vulnerability in Pandoc (CVE-2025-51591) has been exploited to target AWS Instance Metadata Service (IMDS) and steal EC2 IAM credentials. The flaw allows attackers to inject crafted HTML iframes to access sensitive metadata. The attack attempts were unsuccessful due to the enforcement of IMDSv2, which mitigates SSRF attacks. The vulnerability affects Pandoc, a Linux utility, and exploits the way it renders HTML documents. Attackers can craft iframes pointing to the IMDS server to exfiltrate sensitive information. The exploitation attempts were observed dating back to August 2025. The IMDS is a critical component of AWS, providing instance metadata and temporary IAM credentials. SSRF vulnerabilities in web applications running on EC2 instances can be exploited to steal these credentials, allowing unauthorized access to AWS services.
Timeline
-
24.09.2025 10:15 π° 1 articles Β· β± 8h ago
Pandoc SSRF Vulnerability Exploited to Target AWS IMDS
A Server-Side Request Forgery (SSRF) vulnerability in Pandoc (CVE-2025-51591) has been exploited to target AWS Instance Metadata Service (IMDS) and steal EC2 IAM credentials. The flaw allows attackers to inject crafted HTML iframes to access sensitive metadata. The attack attempts were unsuccessful due to the enforcement of IMDSv2, which mitigates SSRF attacks. Exploitation attempts were observed dating back to August 2025. The IMDS provides instance metadata and temporary IAM credentials, which can be stolen via SSRF vulnerabilities. SSRF attacks can bypass perimeter firewalls and reach internal assets, leading to cloud credential theft and unauthorized access.
Show sources
- Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials β thehackernews.com β 24.09.2025 10:15
Information Snippets
-
CVE-2025-51591 is a Server-Side Request Forgery (SSRF) vulnerability in Pandoc with a CVSS score of 6.5.
First reported: 24.09.2025 10:15π° 1 source, 1 articleShow sources
- Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials β thehackernews.com β 24.09.2025 10:15
-
The vulnerability allows attackers to inject crafted HTML iframes to access sensitive metadata from AWS IMDS.
First reported: 24.09.2025 10:15π° 1 source, 1 articleShow sources
- Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials β thehackernews.com β 24.09.2025 10:15
-
The attack attempts were unsuccessful due to the enforcement of IMDSv2, which requires a token for all requests.
First reported: 24.09.2025 10:15π° 1 source, 1 articleShow sources
- Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials β thehackernews.com β 24.09.2025 10:15
-
Exploitation attempts were observed dating back to August 2025.
First reported: 24.09.2025 10:15π° 1 source, 1 articleShow sources
- Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials β thehackernews.com β 24.09.2025 10:15
-
The IMDS provides instance metadata and temporary IAM credentials, which can be stolen via SSRF vulnerabilities.
First reported: 24.09.2025 10:15π° 1 source, 1 articleShow sources
- Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials β thehackernews.com β 24.09.2025 10:15
-
SSRF attacks can bypass perimeter firewalls and reach internal assets, leading to cloud credential theft and unauthorized access.
First reported: 24.09.2025 10:15π° 1 source, 1 articleShow sources
- Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials β thehackernews.com β 24.09.2025 10:15
-
To mitigate the risk, use the "-f html+raw_html" or "--sandbox" options in Pandoc to prevent rendering iframe contents.
First reported: 24.09.2025 10:15π° 1 source, 1 articleShow sources
- Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials β thehackernews.com β 24.09.2025 10:15
-
Organizations should enforce IMDSv2 and follow the principle of least privilege (PoLP) to contain the blast radius in case of an IMDS compromise.
First reported: 24.09.2025 10:15π° 1 source, 1 articleShow sources
- Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials β thehackernews.com β 24.09.2025 10:15