CVE-2025-51591

A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe.

CVSS v3 3.7 LOW

3.7^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://jgm.com
http://pandoc.com
https://github.com/RealestName/Vulnerability-Research/tree/main/CVE-2025-51591
https://github.com/jgm/pandoc/commit/67edf7ce7cd3563a180ae44bd122b012e22364f8
https://github.com/jgm/pandoc/issues/10682
https://pandoc.org
https://www.wiz.io/blog/imds-anomaly-hunting-zero-day
not-applicable:http://jgm.com/
not-applicable:http://pandoc.com/

Configurations

No configuration.

History

07 Oct 2025, 16:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~6.5~~	v2 : unknown v3 : 3.7
References		() https://github.com/jgm/pandoc/commit/67edf7ce7cd3563a180ae44bd122b012e22364f8 - () https://github.com/jgm/pandoc/issues/10682 - () https://www.wiz.io/blog/imds-anomaly-hunting-zero-day - () not-applicable:http://jgm.com/ - () not-applicable:http://pandoc.com/ -

24 Sep 2025, 14:15

Type	Values Removed	Values Added
References		() https://pandoc.org -

15 Jul 2025, 13:14

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-11 14:15

Updated : 2025-10-07 16:15

NVD link : CVE-2025-51591

Mitre link : CVE-2025-51591

CVE.ORG link : CVE-2025-51591

JSON object : View

Products Affected

No product.

CWE

CWE-918

Server-Side Request Forgery (SSRF)

3.7 /10