CVE-2025-53624
📋 TL;DR
The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-side JavaScript bundles when configured with the token. This allows anyone viewing the website's source code to steal the token, potentially gaining unauthorized access to GitHub resources. Only users who configured the plugin with a GitHub token are affected.
💻 Affected Systems
- docusaurus-plugin-content-gists
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain the GitHub token and gain full access to all GitHub resources the token authorizes, potentially compromising repositories, deploying malicious code, or accessing private organizational data.
Likely Case
Attackers discover the exposed token and use it to read private repositories, create issues, or perform other actions allowed by the token's scopes.
If Mitigated
If the token has minimal scopes and is quickly revoked, impact is limited to temporary unauthorized API calls.
🎯 Exploit Status
Exploitation requires only viewing website source code; no authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.0
Vendor Advisory: https://github.com/webbertakken/docusaurus-plugin-content-gists/security/advisories/GHSA-qf34-qpr4-5pph
Restart Required: Yes
Instructions:
1. Update package.json to require 'docusaurus-plugin-content-gists' version '^4.0.0'. 2. Run npm update or yarn upgrade. 3. Rebuild and redeploy the Docusaurus site.
🔧 Temporary Workarounds
Revoke and regenerate token
allImmediately revoke the exposed GitHub Personal Access Token and generate a new one with minimal necessary scopes.
Remove token from configuration
allTemporarily remove the GitHub token from plugin configuration if gist functionality is not critical.
🧯 If You Can't Patch
- Immediately revoke the exposed GitHub token and audit all GitHub activity for unauthorized access.
- Implement Content Security Policy (CSP) headers to restrict script sources, though this may not fully prevent token extraction from static files.
🔍 How to Verify
Check if Vulnerable:
Inspect the built JavaScript bundles for any GitHub token strings; check if plugin version is below 4.0.0 in package.json.Check Version:
npm list docusaurus-plugin-content-gistsVerify Fix Applied:
Confirm plugin version is 4.0.0 or higher in package.json and verify no token strings appear in built JavaScript files.📡 Detection & Monitoring
Log Indicators:
- Unusual GitHub API activity from unexpected IPs or user agents
Network Indicators:
- HTTP requests to GitHub API with exposed token from client browsers
SIEM Query:
source='github_audit_log' AND action:api_token_* AND actor NOT IN (authorized_users)