CVE-2025-51591 Overview
A Server-Side Request Forgery (SSRF) vulnerability exists in JGM Pandoc v3.6.4 that allows attackers to gain access to and potentially compromise infrastructure by injecting a crafted iframe. The vulnerability arises from Pandoc's default behavior of retrieving and parsing untrusted HTML content, which can be exploited to make unauthorized requests to internal services and resources.
This SSRF vulnerability is particularly concerning in cloud environments where attackers could target Instance Metadata Services (IMDS) to harvest cloud credentials and escalate privileges within the infrastructure.
Critical Impact
Attackers can leverage this SSRF vulnerability to access internal network resources, cloud metadata services, and potentially compromise entire infrastructure through crafted iframe injection in Pandoc document conversions.
Affected Products
- JGM Pandoc v3.6.4
- Pandoc installations using external PDF engines (e.g., wkhtmltopdf)
- Pandoc deployments without --sandbox option enabled
Discovery Timeline
- July 11, 2025 - CVE-2025-51591 published to NVD
- November 24, 2025 - Last updated in NVD database
Technical Details for CVE-2025-51591
Vulnerability Analysis
This Server-Side Request Forgery (SSRF) vulnerability in Pandoc stems from the application's handling of HTML content during document conversion. When Pandoc processes untrusted input containing crafted iframes or other HTML elements with external resource references, it can be manipulated to make requests to arbitrary URLs, including internal network addresses and cloud metadata endpoints.
The vulnerability is classified under CWE-918 (Server-Side Request Forgery), which describes scenarios where an attacker can abuse functionality on the server to read or update internal resources. In Pandoc's case, the document conversion functionality becomes the attack vector.
A proof-of-concept demonstrating this vulnerability is publicly available, increasing the risk of exploitation. According to research documented by Wiz on IMDS anomaly hunting, SSRF vulnerabilities like this one are frequently used to access cloud Instance Metadata Services (IMDS) for credential theft.
Root Cause
The root cause lies in Pandoc's default behavior of fetching and parsing external resources referenced in HTML content without proper URL validation or sandboxing. Several input formats including LaTeX, Org, RST, and Typst support include directives that can be abused to access local files or make network requests to internal services.
The GitHub Pandoc discussion #11200 and related issues (#10682, #11261, #8874) document the security implications of this default behavior and the need for proper sandboxing.
Attack Vector
The attack vector is network-based, requiring no user interaction. An attacker can exploit this vulnerability by submitting malicious HTML content containing crafted iframe elements or include directives to a Pandoc instance. When Pandoc processes this content, it makes requests to attacker-specified URLs, which can include:
- Internal network services (e.g., http://localhost:8080/admin)
- Cloud metadata endpoints (e.g., http://169.254.169.254/latest/meta-data/)
- Internal databases and APIs
The vulnerability is exacerbated when Pandoc is used with external PDF engines like wkhtmltopdf, as documented in related CVE-2022-35583.
writer could in principle do anything on your file system. Please
audit filters and custom writers very carefully before using them.
-2. Several input formats (including HTML, Org, and RST) support `include`
- directives that allow the contents of a file to be included in the
- output. An untrusted attacker could use these to view the contents of
- files on the file system. (Using the `--sandbox` option can
- protect against this threat.)
+2. Several input formats (including LaTeX, Org, RST, and Typst)
+ support `include` directives that allow the contents of a file to be
+ included in the output. An untrusted attacker could use these
+ to view the contents of files on the file system. (Using the
+ `--sandbox` option can protect against this threat.)
3. Several output formats (including RTF, FB2, HTML with
`--self-contained`, EPUB, Docx, and ODT) will embed encoded
Source: GitHub Pandoc Commit 67edf7ce - Security patch updating MANUAL.txt documentation
Detection Methods for CVE-2025-51591
Indicators of Compromise
- Unexpected outbound network connections from Pandoc processes to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- Requests to cloud metadata endpoints (169.254.169.254) originating from document conversion services
- Pandoc process logs showing external URL fetch operations for suspicious destinations
- Anomalous file access patterns indicating attempts to read sensitive system files through include directives
Detection Strategies
- Implement network monitoring to detect outbound connections from Pandoc processes to internal network segments or cloud metadata services
- Deploy web application firewalls (WAF) with rules to inspect and block HTML content containing suspicious iframe elements or URL schemes targeting internal resources
- Enable detailed logging for Pandoc operations and monitor for unusual URL fetch patterns
- Use SentinelOne's behavioral AI to detect anomalous process network activity from document conversion applications
Monitoring Recommendations
- Configure alerts for any network traffic from Pandoc processes to RFC 1918 private address spaces
- Monitor cloud provider security logs for IMDS access from unexpected sources
- Implement file integrity monitoring on sensitive configuration files that could be targeted via include directives
- Set up anomaly detection for unusual Pandoc process behavior including unexpected child processes or network connections
How to Mitigate CVE-2025-51591
Immediate Actions Required
- Enable the --sandbox option when running Pandoc to restrict file system access and mitigate SSRF risks
- Use pandoc-server instead of direct Pandoc invocation for better security isolation
- Review and restrict external PDF engine usage, particularly wkhtmltopdf, which has known SSRF vulnerabilities
- Implement input validation to sanitize HTML content before processing with Pandoc
Patch Information
A security update addressing the documentation and security guidance is available in commit 67edf7ce. This update clarifies which input formats support include directives that can lead to SSRF vulnerabilities.
Organizations should review the Pandoc Documentation for the latest security recommendations and ensure they are running the most recent version with appropriate security configurations.
For detailed vulnerability research, refer to the CVE-2025-51591 Research repository and the public PoC.
Workarounds
- Always use the --sandbox flag when processing untrusted content: pandoc --sandbox input.html -o output.pdf
- Deploy Pandoc in a network-isolated environment with no access to internal services or cloud metadata endpoints
- Implement egress filtering to block outbound connections from document processing services to sensitive internal networks
- Consider using pandoc-server which provides additional security boundaries for document conversion
# Configuration example
# Enable sandbox mode when running Pandoc
pandoc --sandbox input.html -o output.pdf
# Use pandoc-server for better isolation
pandoc-server --port 3030 --sandbox
# Block metadata endpoint access at the network level (iptables example)
iptables -A OUTPUT -d 169.254.169.254 -j DROP
# Restrict Pandoc to specific output formats without external dependencies
pandoc --sandbox --pdf-engine=pdflatex input.md -o output.pdf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
