CVE-2025-52493 – PagerDuty Runbook exposes stored secrets in the... (How to Fix)

Q: What is the severity of CVE-2025-52493?

CVE-2025-52493 has a CVSS score of 6.5 (MEDIUM). PagerDuty Runbook exposes stored secrets in the webpage DOM on configuration pages, allowing administrative users to view masked passwords by changing input field types using browser developer tools. This information disclosure vulnerability affects administrative users with access to configuration pages in PagerDuty Runbook versions through 2025-06-12.

📋 TL;DR

PagerDuty Runbook exposes stored secrets in the webpage DOM on configuration pages, allowing administrative users to view masked passwords by changing input field types using browser developer tools. This information disclosure vulnerability affects administrative users with access to configuration pages in PagerDuty Runbook versions through 2025-06-12.

💻 Affected Systems

Products:

PagerDuty Runbook

Versions: All versions through 2025-06-12

Operating Systems: Any (web application)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects administrative users with access to configuration pages where secrets are stored. The vulnerability is present in the web interface's client-side rendering.

📦 What is this software?

Runbook Automation by Pagerduty

View all CVEs affecting Runbook Automation →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrative users could exfiltrate all stored secrets (API keys, passwords, tokens) from the system, leading to complete compromise of integrated systems and data breaches.

🟠

Likely Case

Administrative users accidentally or intentionally view sensitive credentials they shouldn't have access to, potentially violating least privilege principles and audit requirements.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to authorized administrative users who already have high privileges, though it violates security best practices.

🌐 Internet-Facing: LOW - The vulnerability requires administrative access to the configuration interface, which should not be internet-facing.

🏢 Internal Only: MEDIUM - While it requires administrative privileges, it bypasses intended security controls and could enable privilege escalation or lateral movement if credentials are reused.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrative access to the configuration page. The technique is simple: open browser developer tools, locate password fields, and change input type from 'password' to 'text'.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2025-06-12

Vendor Advisory: https://www.pagerduty.com/security/disclosure/

Restart Required: No

Instructions:

1. Upgrade PagerDuty Runbook to version after 2025-06-12. 2. Verify the fix by checking that secrets are no longer exposed in page source. 3. Rotate any potentially exposed credentials as precaution.

🔧 Temporary Workarounds

Restrict Configuration Page Access

all

Limit access to configuration pages to only absolutely necessary administrative users using role-based access controls.

Browser Security Policies

all

Implement Content Security Policies and disable developer tools access for administrative users where possible.

🧯 If You Can't Patch

Implement strict access controls to limit which administrators can view configuration pages
Monitor and audit all access to configuration pages and investigate any unusual activity

🔍 How to Verify

Check if Vulnerable:

1. Log in as administrator. 2. Navigate to a configuration page with password fields. 3. Open browser developer tools (F12). 4. Inspect password input elements - if 'value' attribute contains the actual secret, the system is vulnerable.

Check Version:

Check PagerDuty Runbook version in admin interface or via API endpoint /api/version

Verify Fix Applied:

Repeat the vulnerable check - password fields should not contain the actual secret value in the DOM, only placeholder or masked values.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to configuration pages
Multiple failed attempts to access configuration interfaces

Network Indicators:

Unusual outbound connections from administrative workstations following configuration page access

SIEM Query:

source="pagerduty_logs" AND (event="config_page_access" OR event="admin_activity") AND user_role="admin" AND resource_type="secret"

📊 Metadata

CVE ID: CVE-2025-52493

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

EPSS Score: 0.04% exploit probability (12th percentile)

Published: December 10, 2025

Last Updated: January 2, 2026

🔗 References

https://github.com/carterross2/Vulnerability-Research/tree/main/CVE-2025-52493 Third Party Advisory
https://www.pagerduty.com/platform/automation/ Product
https://www.pagerduty.com/security/disclosure/ Product
https://www.praetorian.com Not Applicable

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-52493, you might also want to check these: