CRITICAL🇵🇱 Wersja polska

CVE-2025-53624

CVSS 10.0v3.1pub. 2025-07-09upd. 2026-04-15

The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code. This vulnerability is fixed in 4.0.0.

🤖 AI Analysis
How it works

The plugin is designed to fetch a GitHub user's public gists through the API during site build time. The token passed in the plugin configuration, which should only be used at build time, is erroneously included in the client-side JavaScript packages generated during the production build process due to an implementation error. As a result, the token ends up directly in the browser of every visitor and is visible in the page source or JavaScript files.

Impact

An attacker who visits or scans the vulnerable site can extract the GitHub Personal Access Token and use it for unauthorized access to GitHub resources associated with that token, potentially gaining access to private repositories, data, and the ability to perform operations on behalf of the token owner.

Mitigation & patch

Update docusaurus-plugin-content-gists to version 4.0.0 or later, which eliminates the vulnerability. Additionally, immediately revoke any GitHub Personal Access Token that may have been passed in the plugin configuration in earlier versions and generate new tokens. You should also rebuild and redeploy the site after updating the plugin.

Who is affected

The docusaurus-plugin-content-gists plugin in versions earlier than 4.0.0 — all sites built with it that have a GitHub Personal Access Token passed in the plugin configuration.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References