CVE-2025-53624
Published: 09 July 2025
Summary
CVE-2025-53624 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires identifying, reporting, and correcting flaws such as the plugin vulnerability that embeds GitHub tokens in client-side bundles, with timely patching to version 4.0.0.
IA-5 mandates protecting authenticators like GitHub Personal Access Tokens from unauthorized disclosure, preventing their embedding in publicly accessible artifacts.
AC-22 restricts the types of sensitive information, such as access tokens, that can be included in publicly accessible content like client-side JavaScript bundles.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly embeds GitHub PAT into publicly served client-side JS bundles, enabling trivial extraction of unsecured credentials from files.
NVD Description
The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin…
more
configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code. This vulnerability is fixed in 4.0.0.
Deeper analysisAI
CVE-2025-53624 is an information disclosure vulnerability (CWE-200) in the docusaurus-plugin-content-gists, a Docusaurus plugin that generates a page displaying all public GitHub gists for a specified user. Versions prior to 4.0.0 are affected when a GitHub Personal Access Token is provided via plugin configuration options for build-time API access to fetch gists. Instead of being used only server-side during builds, the token is embedded directly into client-side JavaScript bundles in production artifacts, exposing it to anyone who inspects the website's source code. The issue carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Attackers require no privileges or special access, as exploitation involves simply loading the affected Docusaurus site's gists page over the network and extracting the token from the JavaScript bundles via browser developer tools or source code inspection. Successful exploitation grants the attacker the token's GitHub permissions, which are typically scoped for API operations like reading user gists but could enable broader unauthorized access depending on the token's configuration, resulting in high confidentiality, integrity, and availability impacts.
The vulnerability is addressed in docusaurus-plugin-content-gists version 4.0.0. Administrators should immediately upgrade to this version or later to prevent token exposure. Additional details are available in the GitHub security advisory (GHSA-qf34-qpr4-5pph) and the fixing commit (8d4230b82412edb215ddfa9e609d178510a5fe31).
Details
- CWE(s)