CVE-2025-52493
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-10

Last updated on: 2025-12-12

Assigner: MITRE

Description
PagerDuty Runbook through 2025-06-12 exposes stored secrets directly in the webpage DOM at the configuration page. Although these secrets appear masked as password fields, the actual secret values are present in the page source and can be revealed by simply modifying the input field type from "password" to "text" using browser developer tools. This vulnerability is exploitable by administrative users who have access to the configuration page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-10
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-12-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-52493
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pagerduty pagerduty *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in PagerDuty Runbook allows stored secrets to be exposed directly in the webpage DOM on the configuration page. Although these secrets appear masked as password fields, the actual secret values are present in the page source and can be revealed by changing the input field type from "password" to "text" using browser developer tools. This can be exploited by administrative users who have access to the configuration page.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive secrets if an administrative user with access to the configuration page intentionally or accidentally reveals the stored secrets. This could compromise security by exposing credentials or other confidential information stored in the configuration.

Mitigation Strategies

Since the vulnerability exposes stored secrets in the webpage DOM on the configuration page accessible by administrative users, immediate mitigation steps include restricting administrative access to the configuration page, avoiding use of the affected PagerDuty Runbook versions through 2025-06-12, and monitoring for updates or patches from PagerDuty to fix this issue. Additionally, educate administrators to avoid revealing password fields by modifying input types in browser developer tools.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-52493. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart