CVE-2025-53624
Published: 09 July 2025
Summary
CVE-2025-53624 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked in the top 5.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and IA-5 (Authenticator Management).
Deeper analysis
The vulnerability affects the Docusaurus gists plugin, specifically docusaurus-plugin-content-gists versions prior to 4.0.0. When a GitHub Personal Access Token is supplied via plugin configuration options for build-time API access, the token is inadvertently embedded in client-side JavaScript bundles generated during production builds, exposing sensitive credentials to anyone inspecting the rendered site source.
An unauthenticated attacker who can reach the deployed site can extract the token from the bundle and use it for any actions permitted by its scopes, such as reading or modifying GitHub data. The flaw carries a CVSS score of 10.0 under CWE-200, reflecting network-exposable impact with no required privileges or user interaction.
The referenced GitHub Security Advisory GHSA-qf34-qpr4-5pph and the associated commit confirm the issue is resolved in version 4.0.0; practitioners should upgrade the plugin and rotate any tokens previously used in builds. The EPSS score has remained flat at 0.1437 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20874
Vulnerability details
The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin…
more
configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code. This vulnerability is fixed in 4.0.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly embeds GitHub PAT into publicly served client-side JS bundles, enabling trivial extraction of unsecured credentials from files.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires identifying, reporting, and correcting flaws such as the plugin vulnerability that embeds GitHub tokens in client-side bundles, with timely patching to version 4.0.0.
IA-5 mandates protecting authenticators like GitHub Personal Access Tokens from unauthorized disclosure, preventing their embedding in publicly accessible artifacts.
AC-22 restricts the types of sensitive information, such as access tokens, that can be included in publicly accessible content like client-side JavaScript bundles.