Cloud security company Wiz has found that a security flaw in a Linux utility called Pandoc is being actively exploited by hackers. The attacks are designed to infiltrate the Amazon Web Services (AWS) Instance Metadata Service (IMDS).
The vulnerability is tracked as CVE-2025-51591 and is a Server-Side Request Forgery (SSRF) flaw. It allows attackers to compromise a system by injecting a specially crafted HTML iframe element. The EC2 IMDS is a key component of AWS that provides information about running instances and temporary credentials.
A common method for attackers to steal credentials from IMDS is to use SSRF flaws in web applications. This involves tricking an application running on an EC2 instance into sending a request for IAM credentials from the IMDS service on its behalf. If the application is vulnerable, an attacker can harvest these credentials without needing direct access to the host.
This is a real threat, as hackers have been using IMDS credentials to steal data from AWS environments since 2021. The issue primarily affects IMDSv1, which is a request and response protocol that is an easy target for bad actors.
Wiz researchers observed hackers using this vulnerability to target the IMDS endpoint. The attackers submitted crafted HTML documents that contained iframe elements pointing to the IMDS server. The goal was to get and steal the content of sensitive paths.
How to Stay Safe
The attack was ultimately unsuccessful because of the use of IMDSv2, a session-oriented protocol that requires a token to be used in all requests. This mitigates the SSRF attack.
To protect against this vulnerability, it is recommended that organizations use the "--sandbox" option with Pandoc to prevent it from including the contents of iframes. Experts also recommend enforcing IMDSv2 across all EC2 instances and assigning roles with the principle of least privilege to contain the damage in case of a compromise.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
