Entroy C has discovered a security vulnerability in pandoc, affecting all recent versions of pandoc (and probably versions as old as 1.13). The vulnerability affects the MediaBag mechanism and allows users to write arbitrary files to any location by feeding pandoc an image element with a specially crafted URL when using --extract-media or creating a PDF. The vulnerability is serious for anyone
using pandoc to process untrusted input. The vulnerability does
not affect pandoc when run with the --sandbox flag.
The vulnerability is fixed in commit 5e381e3878b5da87ee7542f7e51c3c1a7fd84b89 in the main branch of the pandoc repository.
It can also be avoided by using --sandbox (which we recommend anyway when processing untrusted input).
I plan to put out a release with this fix soon, but I wanted to announce the vulnerability now, since the commit is now visible in a public repository.
Many thanks to Entroy C for finding the issue.