Cyber Resilience

CVE-2025-53624

Critical

Published: 09 July 2025

Published
09 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.1437 94.6th percentile
Risk Priority 29 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53624 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked in the top 5.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and IA-5 (Authenticator Management).

Deeper analysis

The vulnerability affects the Docusaurus gists plugin, specifically docusaurus-plugin-content-gists versions prior to 4.0.0. When a GitHub Personal Access Token is supplied via plugin configuration options for build-time API access, the token is inadvertently embedded in client-side JavaScript bundles generated during production builds, exposing sensitive credentials to anyone inspecting the rendered site source.

An unauthenticated attacker who can reach the deployed site can extract the token from the bundle and use it for any actions permitted by its scopes, such as reading or modifying GitHub data. The flaw carries a CVSS score of 10.0 under CWE-200, reflecting network-exposable impact with no required privileges or user interaction.

The referenced GitHub Security Advisory GHSA-qf34-qpr4-5pph and the associated commit confirm the issue is resolved in version 4.0.0; practitioners should upgrade the plugin and rotate any tokens previously used in builds. The EPSS score has remained flat at 0.1437 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin…

more

configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code. This vulnerability is fixed in 4.0.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Vulnerability directly embeds GitHub PAT into publicly served client-side JS bundles, enabling trivial extraction of unsecured credentials from files.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-6346Shared CWE-200
CVE-2026-29779Shared CWE-200
CVE-2026-6347Shared CWE-200
CVE-2026-44738Shared CWE-200
CVE-2025-24232Shared CWE-200
CVE-2025-25729Shared CWE-200
CVE-2024-13911Shared CWE-200
CVE-2024-52975Shared CWE-200
CVE-2025-11693Shared CWE-200
CVE-2024-13609Shared CWE-200

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires identifying, reporting, and correcting flaws such as the plugin vulnerability that embeds GitHub tokens in client-side bundles, with timely patching to version 4.0.0.

prevent

IA-5 mandates protecting authenticators like GitHub Personal Access Tokens from unauthorized disclosure, preventing their embedding in publicly accessible artifacts.

prevent

AC-22 restricts the types of sensitive information, such as access tokens, that can be included in publicly accessible content like client-side JavaScript bundles.

References