- Security researchers discovered active attempts to exploit a vulnerability in the Linux utility Pandoc to target Amazon Web Services (AWS) Instance Metadata Service (IMDS).
- The flaw, tracked as CVE-2025-51591, is a Server-Side Request Forgery (SSRF) with a CVSS score of 6.5, enabling attackers to use crafted HTML iframe elements to attack.
- AWS IMDS provides temporary credentials for applications on EC2 instances, making it a valuable target for credential theft through SSRF attacks.
- The attack attempts were unsuccessful due to the use of newer IMDSv2, which requires extra authentication steps that prevent simple SSRF-driven credential theft.
- Experts recommend using IMDSv2, input sanitization, and principle of least privilege to reduce risk and impact of such vulnerabilities.
Cloud security firm Wiz reported in-the-wild exploitation attempts against a vulnerability in the Linux utility Pandoc, aiming to breach the Amazon Web Services (AWS) Instance Metadata Service (IMDS). These incidents began in August and lasted for several weeks, seeking to steal temporary credentials in AWS cloud environments.
The exploited vulnerability, CVE-2025-51591, allows attackers to use specially crafted HTML iframe tags to launch Server-Side Request Forgery (SSRF) attacks. According to Wiz, if successful, the flaw could allow intruders to gain access to sensitive instance metadata or temporary credentials used to interact with core AWS services.
Researchers Hila Ramati and Gili Tikochinski at Wiz explained, “If the application can reach the IMDS endpoint and is susceptible to SSRF, the attacker can harvest temporary credentials without needing any direct host access (such as RCE or path traversal).” They added that the attacks focused on injecting malicious iframes into Pandoc documents to collect data from IMDS endpoints such as /latest/meta-data/iam/info.
Past incidents show SSRF vulnerabilities can pose real threats. In early 2022, Mandiant, part of Google, reported attackers exploited SSRF flaws—including CVE-2021-21311 in the Adminer tool—to steal credentials from AWS instances using IMDS.
IMDS, specifically its older version IMDSv1, operates through a simple request-and-response model, making it an attractive target for SSRF attacks. However, the latest attack attempts failed because IMDSv2 was enabled. IMDSv2 uses session tokens and specific headers, requiring multiple authentication steps that block unauthorized access through basic SSRF techniques.
Security experts recommend addressing CVE-2025-51591 by using sanitization options in Pandoc, such as the “-f html+raw_html” or “–Sandbox” switch, which prevent loading potentially dangerous iframes. Wiz noted, “[Pandoc maintainers] decided that rendering iframes is the intended behavior and that the user is responsible to either sanitize the input or use the sandbox flags when handling user inputs.”
Further protection includes enforcing IMDSv2 across all AWS EC2 instances and assigning instance roles with only the minimum permissions required. These measures help contain risks if attackers successfully exploit SSRF flaws in third-party software running on cloud infrastructure.
Additional findings indicate threat actors have also targeted similar SSRF bugs in other cloud applications, such as ClickHouse, though security measures prevented successful breaches.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Solana Price Dips Below $210, Faces Risk of Falling Under $200
- Bitcoin Dips Below Support as ‘Buy the Dip’ Calls Hit New Highs
- XRP Dips Below $2.8 as Whales Accumulate 30M Tokens Amid ETF Hopes
- Gold Hits Record High as Bitcoin Falls, Widening Safe-Haven Gap
- CFTC Proposes Stablecoins, Tokenized Assets as Derivatives Collateral
