Cloud security company Wiz has revealed that it uncovered in-the-wild exploitation of a security flaw in a Linux utility called Pandoc as part of attacks designed to infiltrate Amazon Web Services (AWS) Instance Metadata Service (IMDS).
The vulnerability in question is CVE-2025-51591 (CVSS score: 6.5), which refers to a case of Server-Side Request Forgery (SSRF) that allows attackers to compromise a target system by injecting a specially crafted HTML iframe element.
The EC2 IMDS is a crucial component of the AWS cloud environment, offering information about running instances, as well as temporary, short-lived credentials if an identity and access management (IAM) role is associated with the instance. The instance metadata is accessible to any application running on an EC2 instance via a link-local address (169.254.169[.]254).
These credentials can then be used to securely interact with other AWS services like S3, RDS, or DynamoDB, permitting applications to authenticate without the need for storing credentials on the machine, thereby reducing the risk of accidental exposure.
One of the common methods that attackers can use to steal IAM credentials from IMDS is via SSRF flaws in web applications. This essentially involves tricking the app running on an EC2 instance to send a request seeking IAM credentials from the IMDS service on its behalf.
“If the application can reach the IMDS endpoint and is susceptible to SSRF, the attacker can harvest temporary credentials without needing any direct host access (such as RCE or path traversal),” Wiz researchers Hila Ramati and Gili Tikochinski said.
An adversary looking to target AWS infrastructure can therefore search for SSRF vulnerabilities in web applications running on EC2 instances and, when found, access the instance metadata and steal IAM credentials. This is not a theoretical threat.
As far back as early 2022, Google-owned Mandiant found that a threat actor it tracks as UNC2903 had attacked AWS environments by abusing credentials obtained using IMDS since July 2021, exploiting an SSRF flaw (CVE-2021-21311, CVSS score: 7.2) in Adminer, an open-source database management tool, to facilitate data theft.
The issue, at its core, stems from the fact that IMDS, or more specifically IMDSv1, is a request and response protocol, making it an attractive target for bad actors who target exploitable web applications that also run IMDSv1.
In a report published last month, Resecurity warned that when SSRF is exploited against cloud infrastructure like AWS, it can have “severe and far-reaching” consequences, resulting in cloud credential theft, network reconnaissance, and unauthorized access to internal services.
“Since SSRF originates from within the server, it can reach endpoints protected by perimeter firewalls. This effectively turns the vulnerable application into a proxy, allowing the attacker to: Bypass IP whitelists [and] reach otherwise unreachable internal assets,” it said.
The latest findings from Wiz demonstrate that attacks targeting the IMDS service are continuing to take place, with adversaries leveraging SSRF vulnerabilities in little-known applications like Pandoc to enable them.
“The vulnerability, tracked as CVE-2025-51591, stems from Pandoc rendering <iframe> tags in HTML documents,” Wiz researchers said. “This would allow an attacker to craft an <iframe> that points to the IMDS server, or other private resources.”
“The attacker submitted crafted HTML documents containing <iframe> elements whose src attributes targeted the AWS IMDS endpoint at 169.254.169[.]254. The objective was to render and exfiltrate the content of sensitive paths, specifically /latest/meta-data/iam/info and /latest/meta-data/iam.”
Wiz said the attack was ultimately unsuccessful because of the enforcement of IMDSv2, which is session-oriented and mitigates the SSRF attack by first requiring a user to get a token and use that token in all requests to the IMDS via a special header (X-aws-ec2-metadata-token).
The company told The Hacker News that it observed in-the-wild exploitation attempts “dating back to August and continuing for a few weeks,” adding it also found continued efforts on the part of unknown threat actors to abuse another SSRF flaw in ClickHouse to unsuccessfully breach a target’s Google Cloud Platform.
To mitigate the risk posed by CVE-2025-51591 in cloud environments, it’s advised to use the “-f html+raw_html” option or the “–sandbox” option to prevent Pandoc from including the contents of iframe elements through the src attribute.
“[Pandoc maintainers] decided that rendering iframes is the intended behavior and that the user is responsible to either sanitize the input or use the sandbox flags when handling user inputs,” Wiz said.
“Although Amazon recommends implementing the IMDSv2 with GuardDuty enhancements, EC2 instances created by Amazon customers that instead use IMDSv1 may be at risk when combined with also running unpatched vulnerable third party software,” Mandiant researchers warned at the time.
Organizations are recommended to enforce IMDSv2 across all EC2 instances and ensure that instances are assigned roles that follow the principle of least privilege (PoLP) to contain the blast radius in the event of an IMDS compromise.
