Patch for CVE-2025-51591

[CSMurray-CISA]

I wanted to inquire whether there is any available information regarding the patch for CVE-2025-51591. Additionally, if feasible, could you please associate the CVE identifier with the corresponding commit or issue that addresses the fix? This would greatly assist with tracking and future reference.

[jgm]

At first I had no idea what this even is. It contains links to nonexistent sites (or sites not affiliated with this project: pandoc.com, jgm.com). And it seems to contain only an incredibly vague description of an issue with no details. (And it is marked "awaiting analysis.")

Finally I found a link to #10682 where the issue is discussed.

As noted there, we don't consider this a bug in the code, although pandoc can certainly be misused in ways that create a security issue. We addressed it by adding a note in the Security section of the manual: 67edf7c

Our general advice is that people running pandoc on a server should always use the --sandbox option (or use pandoc-server, which is automatically sandboxed). This would avoid not this issue but other potential issues of the same sort (also discussed in the Security section of the manual). (For example, pandoc --embed-resources on untrusted HTML can leak information from non-image files linked from <img> elements.)

If there are better ideas, I'm all ears. The person who submitted the issue seemed to think that adding something to the Security section was the best approach.

[amanion-cisa]

We're working on a theory that CVE-2025-51591 is a duplicate of CVE-2022-35583 with wkhtmltopdf being primarily responsible for the SSRF by fetching iframes (and maybe other remote content like images). Will post more in this discussion thread soon.

[jgm]

No, that's not right. Pandoc itself fetches the content of the iframe.
The relevant code is here: https://github.com/jgm/pandoc/blob/main/src/Text/Pandoc/Readers/HTML.hs#L513-L537

[jgm]

And I have the same attitude towards the parallel CVE for wkhtmltopdf: This is a command line program. It is not a defect in the program itself if shelling out to it in a web app can cause security problems. The same is true for cat, echo, curl, and many other command line programs. Both CVEs, in my view, are spurious. If they are not spurious, we need CVEs for cat, echo, and curl too. Pandoc's manual clearly explains the precautions you need to take if you invoke pandoc from a web app on untrusted input. And pandoc offers a server mode pandoc --server which is not subject to this issue.

[tarleb]

There is a CVE for tar (from 2005), with the highest possible exploitability score, which has never been fixed because it's the expected and documented behavior. I think the difference between feature and security issue isn't always clear, at least to me.

[dw4rren]

I am trying to repro this behavior.

test-iframe.html

<html>
	<p> This text is outside the iframe.</p>
	<iframe src="http://localhost:8000/iframe-target.html">
	</iframe>
	<p> This text is outside the iframe.</p>
</html>

iframe-target.html

<html>
	<title>iframe target</title>
	<p>I am text within the iframe target.</p>
</html>

I then start a webserver with python3 -m http.server.

pandoc -o output.pdf test-iframe.html

seems to strip the embedded <iframe>. I also don't see a request for iframe-target.html. Should this be fetching and rendering the <iframe>?

whereas

pandoc -f html+raw_html --pdf-engine wkhtmltopdf -o output.pdf test-iframe.html

fetches the <iframe>, I can see the GET /iframe-target.html HTTP/1.1 and it is contained in the output PDF. I am testing on pandoc-3.8.2-linux-amd64 (and various versions shipped with Ubuntu). Oddly enough -f html+raw_html seems to be required for wkhtmltopdf to fetch the <iframe>.

[jgm]

Try with:

<html>
	<p> This text is outside the iframe.</p>
	<iframe src="http://localhost:8000/iframe-target.html"></iframe>
	<p> This text is outside the iframe.</p>
</html>

Pandoc seems not to like it when there is whitespace between the iframe open and close tag (this can be fixed).

[dw4rren]

That worked, thanks.

I would also note that when running

pandoc --sandbox -f html+raw_html -o output-wk.pdf test-iframe.html --pdf-engine=wkhtmltopdf

even though the user has passed --sandbox and html+raw_html (perhaps following security notes), raw_html enables wkhtmltopdf to still happily retrieve the iframe.