CVE-2025-53624
- Source
- https://cve.org/CVERecord?id=CVE-2025-53624
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53624.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-53624
- Aliases
- Published
- 2025-07-09T21:08:14.595Z
- Modified
- 2026-04-02T12:52:51.605047Z
- Severity
-
- 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- docusaurus-plugin-content-gists Exposes GitHub Personal Access Token
- Details
-
The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code. This vulnerability is fixed in 4.0.0.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-200" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/53xxx/CVE-2025-53624.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/53xxx/CVE-2025-53624.json
- https://github.com/webbertakken/docusaurus-plugin-content-gists/security/advisories/GHSA-qf34-qpr4-5pph
- https://nvd.nist.gov/vuln/detail/CVE-2025-53624
- https://github.com/webbertakken/docusaurus-plugin-content-gists/commit/8d4230b82412edb215ddfa9e609d178510a5fe31