CVE-2025-53624
published 2025-07-09CVE-2025-53624: The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions…
PriorityP271critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
1.84%
76.3th percentile
The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code. This vulnerability is fixed in 4.0.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| webbertakken | docusaurus-plugin-content-gists | < 4.0.0 | 4.0.0 |
| webbertakken | docusaurus-plugin-content-gists | >= 0 < 4.0.0 | 4.0.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Identify Docusaurus-powered sites by checking for the 'docusaurus_locale' string in the HTML body with HTTP 200 response, then fetch the main JS bundle at /assets/js/main.*.js ↗
- →In the fetched client-side JS bundle, search for the regex pattern ',personalAccessToken:"([^"]*)"}' to extract the exposed GitHub Personal Access Token embedded in the production build artifact ↗
- →Use Shodan query 'http.html:"Docusaurus"' or FOFA query 'body="Docusaurus"' to enumerate potentially vulnerable Docusaurus instances for further investigation ↗
- →The vulnerability requires exactly 2 HTTP requests: first GET to BaseURL to confirm Docusaurus and extract the JS bundle filename, then GET to the JS bundle path to confirm token presence ↗
- ·The token exposure only affects docusaurus-plugin-content-gists versions strictly prior to 4.0.0; version 4.0.0 and later are not vulnerable ↗
- ·The token is only exposed in production build artifacts (client-side JS bundles), not in development mode; scanning must target live production deployments ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
docusaurus-plugin-content-gists vulnerability exposes GitHub Personal Access Token
osv·2025-07-09
CVE-2025-53624 [CRITICAL] docusaurus-plugin-content-gists vulnerability exposes GitHub Personal Access Token
docusaurus-plugin-content-gists vulnerability exposes GitHub Personal Access Token
## GitHub Personal Access Token Exposure in docusaurus-plugin-content-gists
### Summary
docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code.
### Affected Versions
- All versions < 4.0.0
### Patched Versions
- Version 4.0.0 and later
### Impact
When using the affected versions with the recommended configuration pattern:
```javascript
plugins: [
[
'docusaurus-plugin-content-gists',
GHSA
docusaurus-plugin-content-gists vulnerability exposes GitHub Personal Access Token
ghsa·2025-07-09
CVE-2025-53624 [CRITICAL] CWE-200 docusaurus-plugin-content-gists vulnerability exposes GitHub Personal Access Token
docusaurus-plugin-content-gists vulnerability exposes GitHub Personal Access Token
## GitHub Personal Access Token Exposure in docusaurus-plugin-content-gists
### Summary
docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code.
### Affected Versions
- All versions < 4.0.0
### Patched Versions
- Version 4.0.0 and later
### Impact
When using the affected versions with the recommended configuration pattern:
```javascript
plugins: [
[
'docusaurus-plugin-content-gists',
No detection rules found.
Nuclei
Docusaurus Gists Plugin < 4.0.0 - GitHub Personal Access Token Exposure
nuclei·CVSS 10.0
CVE-2025-53624 [CRITICAL] Docusaurus Gists Plugin < 4.0.0 - GitHub Personal Access Token Exposure
Docusaurus Gists Plugin < 4.0.0 - GitHub Personal Access Token Exposure
The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code.
Template:
id: CVE-2025-53624
info:
name: Docusaurus Gists Plugin < 4.0.0 - GitHub Personal Access Token Exposure
author: darses
severity: high
description: |
The Docusaurus gists plugin adds a page to your Docusaurus instance, displ
No writeups or analysis indexed.
2025-07-09
Published