Sensitive Data Exposure in Docusaurus Plugin by webbertakken
CVE-2025-53624

10CRITICAL

Key Information:

Vendor: Webbertakken
Status: Docusaurus-plugin-content-gists
Vendor: CVE Published:; 9 July 2025

🔔 Create Webbertakken Vulnerability Alert

What is CVE-2025-53624?

The Docusaurus gists plugin introduces a vulnerability that allows GitHub Personal Access Tokens to be exposed in production build artifacts. This occurs when tokens, which are meant solely for build-time API access, are improperly included in client-side JavaScript bundles through plugin configuration. As a result, anyone with access to the website's source code can retrieve these sensitive tokens. To mitigate this issue, it is crucial to upgrade to version 4.0.0 or later, which addresses the vulnerability effectively.

Affected Version(s)

docusaurus-plugin-content-gists < 4.0.0

References

https://github.com/webbertakken/docusaurus-plugin-content...

x_refsource_CONFIRM

https://github.com/webbertakken/docusaurus-plugin-content...

x_refsource_MISC

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 9, 2025
Vulnerability Reserved
Jul 7, 2025