From document converter to cloud key-nicker.
Pandoc CVE-2025-51591 → AWS IMDS.
Researchers report in-the-wild abuse of Pandoc SSRF (CVE-2025-51591, CVSS 6.5) to query AWS Instance Metadata Service, stealing EC2 IAM credentials. Root cause: Pandoc renders <iframe> in HTML; mitigations include sandbox flags or sanitising input. Shows continued IMDS targeting via “quiet” dependencies.
A flaw in Pandoc lets crafted HTML iframe requests poke the AWS metadata service, lifting temporary IAM creds. Not glamorous, very effective.
Fixes: run Pandoc with –sandbox / -f html+raw_html, sanitise user-supplied docs, and restrict IMDS access from apps that don’t need it.