Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2025-53624

CRITICAL
Published 2025-07-09T21:08:14.595Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2025-53624. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
10.0
/10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Base Score Metrics
Exploitability: N/A Impact: N/A

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED

Impact Metrics

Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Description

The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code. This vulnerability is fixed in 4.0.0.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

webbertakken

docusaurus-plugin-content-gists

Affected Versions:

< 4.0.0

EU Vulnerability Database

Monitored by ENISA for EU cybersecurity

EU Coordination

EU Coordinated

Exploitation Status

No Known Exploitation

EUVD ID

View on ENISA

ENISA Analysis

The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code. This vulnerability is fixed in 4.0.0.

Affected Products (ENISA)

webbertakken
docusaurus-plugin-content-gists

ENISA Scoring

CVSS Score (3.1)

10.0
/10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score

5.440
probability

ENISA References

https://github.com/webbertakken/docusaurus-plugin-content-gists/security/advisories/GHSA-qf34-qpr4-5pph
https://github.com/webbertakken/docusaurus-plugin-content-gists/commit/8d4230b82412edb215ddfa9e609d178510a5fe31

Data provided by ENISA EU Vulnerability Database. Last updated: July 10, 2025

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed CRITICAL

docusaurus-plugin-content-gists vulnerability exposes GitHub Personal Access Token

GHSA-qf34-qpr4-5pph

Advisory Details

## GitHub Personal Access Token Exposure in docusaurus-plugin-content-gists ### Summary docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code. ### Affected Versions - All versions < 4.0.0 ### Patched Versions - Version 4.0.0 and later ### Impact When using the affected versions with the recommended configuration pattern: ```javascript plugins: [ [ 'docusaurus-plugin-content-gists', { personalAccessToken: process.env.GITHUB_PERSONAL_ACCESS_TOKEN, }, ], ] ``` The GitHub Personal Access Token is included in the webpack bundle and exposed in production builds at: - `/build/assets/js/main.[hash].js` This allows malicious actors to: - Extract the GitHub Personal Access Token from the website's JavaScript files - Use the stolen token to access the token owner's GitHub account with the granted permissions - Potentially access private gists, repositories, or perform other actions depending on the token's scope ## Mitigation steps 1. Immediately revoke access to the GitHub PAT that was used: https://github.com/settings/tokens ### Migration steps 1. Update to version 4.0.0+: `npm install docusaurus-plugin-content-gists@^4.0.0` 3. Remove `personalAccessToken` from your plugin configuration 4. Ensure `GH_PERSONAL_ACCESS_TOKEN` is set in your build environment

Affected Packages

npm docusaurus-plugin-content-gists
ECOSYSTEM: ≥0 <4.0.0

CVSS Scoring

CVSS Score

9.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

WEB https://github.com/webbertakken/docusaurus-plugin-content-gists/security/advisories/GHSA-qf34-qpr4-5pph
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-53624
WEB https://github.com/webbertakken/docusaurus-plugin-content-gists/commit/8d4230b82412edb215ddfa9e609d178510a5fe31
PACKAGE https://github.com/webbertakken/docusaurus-plugin-content-gists

Advisory provided by GitHub Security Advisory Database. Published: July 9, 2025, Modified: July 9, 2025

Social Media Intelligence

Real-time discussions and threat intelligence from social platforms

1 post
Reddit 3 weeks, 3 days ago
Steve_Dobbs_69

CVE-2025-53624: Critical Security Vulnerability in Docusaurus Gists Plugin

1
1.0
View Original

References

https://github.com/webbertakken/docusaurus-plugin-content-gists/security/advisories/GHSA-qf34-qpr4-5pph
https://github.com/webbertakken/docusaurus-plugin-content-gists/commit/8d4230b82412edb215ddfa9e609d178510a5fe31
Published: 2025-07-09T21:08:14.595Z
Last Modified: 2025-07-10T15:18:11.559Z
Copied to clipboard!