Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-51591

Опубликовано: 11 июл. 2025
Источник: redhat
CVSS3: 4.8

Описание

A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe.

A Server-Side Request Forgery (SSRF) flaw has been discovered in Pandoc. Maliciously crafted input can inject an iframe into pdf output.

Меры по смягчению последствий

When ingesting untrusted input users are advised to Pandoc's --sandbox option.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 8pandocAffected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-918
https://bugzilla.redhat.com/show_bug.cgi?id=2379543pandoc: Server-Side Request Forgery in Pandoc

4.8 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2025-51591

CVSS3: 3.7
ubuntu
5 месяцев назад

A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe. Note: Some users have stated that Pandoc by default can retrieve and parse untrusted HTML content which can enable SSRF vulnerabilities. Using the ‘--sandbox’ option or ‘pandoc-server’ can mitigate such vulnerabilities. Using pandoc with an external ‘--pdf-engine’ can also enable SSRF vulnerabilities, such as CVE-2022-35583 in wkhtmltopdf.

nvd логотип

CVE-2025-51591

CVSS3: 3.7
nvd
5 месяцев назад

A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe. Note: Some users have stated that Pandoc by default can retrieve and parse untrusted HTML content which can enable SSRF vulnerabilities. Using the ‘--sandbox’ option or ‘pandoc-server’ can mitigate such vulnerabilities. Using pandoc with an external ‘--pdf-engine’ can also enable SSRF vulnerabilities, such as CVE-2022-35583 in wkhtmltopdf.

debian логотип

CVE-2025-51591

CVSS3: 3.7
debian
5 месяцев назад

A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attac ...

github логотип

GHSA-mcv3-ch54-xqfh

CVSS3: 6.5
github
5 месяцев назад

A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe.

fstec логотип

BDU:2025-13963

CVSS3: 6.5
fstec
3 месяца назад

Уязвимость библиотеки преобразования форматов разметки Pandoc языка программирования Haskell, связанная c подделкой запросов на стороне сервера, позволяющая нарушителю раскрыть защищаемую информацию

4.8 Medium

CVSS3