CVE-2025-53624
BaseFortify
Publication date: 2025-07-09
Last updated on: 2025-07-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| webbertakken | docusaurus-plugin-content-gists | 4.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Docusaurus gists plugin (versions prior to 4.0.0) causes GitHub Personal Access Tokens, which are meant for build-time API access only, to be exposed in the client-side JavaScript bundles of the production build. This means anyone who views the website's source code can access these tokens, potentially compromising security.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to GitHub accounts or repositories because the exposed Personal Access Tokens can be used by attackers to perform actions with the same permissions as the token holder. This can result in data theft, code manipulation, or service disruption.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the docusaurus-plugin-content-gists to version 4.0.0 or later, as this version fixes the vulnerability that exposes GitHub Personal Access Tokens in client-side JavaScript bundles. Avoid passing GitHub Personal Access Tokens through plugin configuration options that are included in production builds.