CVE-2025-51591

LOW EXPLOITED

JGM Pandoc 3.6.4 - Server-Side Request Forgery via Crafted iframe

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-51591 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including adminlove520, Malayke.

AI-analyzed exploit summary The repository contains a scanner for CVE-2024-21762, a Fortinet SSL VPN vulnerability, which checks for the presence of the vulnerability by sending crafted HTTP requests. It does not include exploit code but provides detection capabilities.

Description

A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe. Note: Some users have stated that Pandoc by default can retrieve and parse untrusted HTML content which can enable SSRF vulnerabilities. Using the ‘--sandbox’ option or ‘pandoc-server’ can mitigate such vulnerabilities. Using pandoc with an external ‘--pdf-engine’ can also enable SSRF vulnerabilities, such as CVE-2022-35583 in wkhtmltopdf.

Exploits (2)

github SCANNER 2 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-51591

The repository contains a scanner for CVE-2024-21762, a Fortinet SSL VPN vulnerability, which checks for the presence of the vulnerability by sending crafted HTTP requests. It does not include exploit code but provides detection capabilities.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Fortinet SSL VPN
No auth needed
Prerequisites: network access to the target Fortinet SSL VPN interface
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by Malayke · infoleak
https://github.com/Malayke/CVE-2025-51591-Pandoc-SSRF-POC

This repository provides a functional proof-of-concept for CVE-2025-51591, an SSRF vulnerability in Pandoc v3.6.4. The exploit involves injecting a crafted iframe into an HTML file, which is then converted to PDF using Pandoc, triggering an SSRF request to an attacker-controlled OAST URL.

Classification
Working Poc 90%
Attack Type
Ssrf
Complexity
Trivial
Reliability
Reliable
Target: JGM Pandoc v3.6.4
No auth needed
Prerequisites: Pandoc v3.6.4 installed · Ability to craft and serve an HTML file with an iframe pointing to an attacker-controlled URL
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (13)

Core 13

Scores

CVSS v3 3.7
EPSS 0.0040
EPSS Percentile 60.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

VulnCheck KEV 2025-09-22
CWE
CWE-918
Status published
Published Jul 11, 2025
Tracked Since Feb 18, 2026