CVE-2025-53624 CRITICAL

CVE-2025-53624: docusaurus-plugin-content-gists Exposes GitHub Personal Access Token

Vendor Webbertakken
Product docusaurus-plugin-content-gists
Weakness CWE-200 · Info exposure
Published July 9, 2025
Last update July 10, 2025

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code. This vulnerability is fixed in 4.0.0.

Key dates

02Disclosure timeline

July 9, 2025 CVE published
July 10, 2025 Record updated