Post

Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials

Posted
By ictsec.pl
1 min read

Cloud security company Wiz has revealed that it uncovered in-the-wild exploitation of a security flaw in a Linux utility called Pandoc as part of attacks designed to infiltrate Amazon Web Services (AWS) Instance Metadata Service (IMDS). The vulnerability in question is CVE-2025-51591 (CVSS score: 6.5), which refers to a case of Server-Side Request Forgery (SSRF) that allows attackers to compromise a target system by injecting a specially crafted HTML iframe element.

The EC2 IMDS is a crucial component of the AWS cloud environment, offering information about running instances, as well as temporary, short-lived credentials if an identity and access management (IAM) role is associated with the instance. The instance metadata is accessible to any application running on an EC2 instance via a link-local address (169.254.169.254). One of the common methods that attackers can use to steal IAM credentials from IMDS is via SSRF flaws in web applications. This essentially involves tricking the app running on an EC2 instance to send a request seeking IAM credentials from the IMDS service on its behalf.

The latest findings from Wiz demonstrate that attacks targeting the IMDS service are continuing to take place, with adversaries leveraging SSRF vulnerabilities in little-known applications like Pandoc to enable them. “The vulnerability, tracked as CVE-2025-51591, stems from Pandoc rendering <iframe> tags in HTML documents,” Wiz researchers said. “This would allow an attacker to craft an <iframe> that points to the IMDS server, or other private resources.” “The attacker submitted crafted HTML documents containing <iframe> elements whose src attributes targeted the AWS IMDS endpoint at 169.254.169.254. The objective was to render and exfiltrate the content of sensitive paths, specifically /latest/meta-data/iam/info and /latest/meta-data/iam.”

Wiz said the attack was ultimately unsuccessful because of the enforcement of IMDSv2, which is session-oriented and mitigates the SSRF attack by first requiring a user to get a token and use that token in all requests to the IMDS via a special header (X-aws-ec2-metadata-token).

To read the complete article see: The Hacker News

SECURITY
CVE-2025-51591 AWS IAM CREDENTIALS SECURITY FLAW
This post is licensed under CC BY 4.0 by the author.