Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials

Summary

The article details a vulnerability (CVE-2025-51591) in Pandoc being exploited to target AWS IMDS for IAM credential theft. Wiz uncovered these attacks, which leverage SSRF vulnerabilities. Mitigation involves enforcing IMDSv2 and using Pandoc's security options.

Key Takeaways

1. Hackers are exploiting a vulnerability (CVE-2025-51591) in Pandoc to target AWS IMDS and steal EC2 IAM credentials.
2. The vulnerability is a Server-Side Request Forgery (SSRF) that allows attackers to compromise systems by injecting a crafted HTML iframe element.
3. Mitigation involves enforcing IMDSv2 across all EC2 instances and using the "-f html+raw_html" or "--sandbox" options in Pandoc.

Statement Breakdown

• Claimed Facts: 70% of statements the article presents as facts
• Opinions: 20% of statements classified as editorial or subjective
• Claims: 10% of statements surfaced for additional reader evaluation

Credibility & Bias Reasoning

Credibility assessment: The article primarily relies on information from Wiz, a cloud security company, and Mandiant, a Google-owned cybersecurity firm, both of which are reputable sources. It also cites CVE details and CVSS scores, which are standard in cybersecurity reporting. The article presents a clear narrative supported by technical details, enhancing its credibility.

Bias assessment: Security-focused. The article focuses on security vulnerabilities and exploits within cloud environments, particularly AWS. It emphasizes the importance of security measures and best practices to mitigate risks. While informative, the article's focus on potential threats and vulnerabilities could be perceived as security-focused.

Note: While the article cites reputable sources, verify specific technical details and recommendations with official documentation and security advisories.

Credibility flag: Verify Details

Claimed Facts (7)

• This is a factual statement about Wiz's findings.
• This provides specific details about the vulnerability.
• This describes the function of EC2 IMDS.
• This is a direct quote from Wiz researchers explaining the impact of SSRF.
• This provides historical context and evidence of similar attacks.
• This explains the root cause of the vulnerability in Pandoc.
• This explains why the observed attacks were not successful.

Opinions (6)

• This is a subjective assessment of the importance of EC2 IMDS.
• This is a simplified explanation that could be considered an opinion on how SSRF works.
• This is an assertion about the real-world relevance of the threat.
• This is an interpretation of why IMDSv1 is a target.
• This is an interpretation of the impact of SSRF.
• This is a recommendation based on the author's understanding of best practices.

Claims (5)

• While the intention is to be secure, stolen credentials negate the security aspect.
• The phrase "severe and far-reaching" is vague and lacks specific evidence.
• While technically possible, this is a generalization of the potential impact.
• This statement is somewhat alarmist, implying a high level of risk without quantifying it.
• This is a claim about the attacker's actions, but the success of the attack is later stated to be limited.

Key Sources

• Wiz — Cloud security company
• Hila Ramati — Wiz Researchers
• Gili Tikochinski — Wiz Researchers
• Mandiant — Google-owned cybersecurity firm
• Resecurity — Cybersecurity company
• The Hacker News — News source