CVE-2025-51591: 
Linux Debian vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability has been identified in JGM Pandoc version 3.6.4 (CVE-2025-51591). The vulnerability was discovered and disclosed on July 11, 2025, affecting the core functionality of the software. This security flaw allows attackers to gain unauthorized access to and potentially compromise the entire infrastructure through the injection of a crafted iframe (NVD).

The vulnerability has been assigned a CVSS 3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N. This indicates that the vulnerability is network-accessible, requires high attack complexity, needs no privileges, requires no user interaction, has unchanged scope, and can result in high confidentiality impact with low integrity impact (NVD). The vulnerability has been classified under CWE-918 (Server-Side Request Forgery).

The vulnerability's impact is significant as it allows attackers to potentially compromise the entire infrastructure. The CVSS scoring indicates high confidentiality impact, meaning sensitive information could be exposed, along with low integrity impact, suggesting some system data could be modified (NVD).

The vulnerability affects Pandoc version 3.6.4, and users are advised to update to a newer version once available. Currently, the Debian security tracker indicates that multiple versions remain vulnerable, including bullseye (2.9.2.1-1+deb11u1), bookworm (2.17.1.1-2~deb12u1), and sid/trixie (3.1.11.1+ds-2) (Debian Tracker).