平台
nodejs
组件
docusaurus-plugin-content-gists
修复版本
4.0.1
CVE-2025-53624 affects the docusaurus-plugin-content-gists plugin, a component used in Docusaurus websites to display GitHub gists. This vulnerability arises because the plugin inadvertently includes GitHub Personal Access Tokens (PATs) in client-side JavaScript bundles during the build process. This allows unauthorized individuals to view the website's source code and potentially access these tokens, leading to significant security risks. The vulnerability is resolved in version 4.0.0.
The primary impact of CVE-2025-53624 is the exposure of GitHub Personal Access Tokens. These tokens grant access to a user's GitHub repositories and data. An attacker gaining access to a PAT could potentially read, write, or delete code, access sensitive information stored in repositories, and even impersonate the token owner. The blast radius extends beyond the immediate website; compromised PATs can impact any resource accessible through that token. The ease of access – simply viewing the website's source code – makes this a particularly concerning vulnerability, especially for websites handling sensitive information or integrated with critical infrastructure. This is akin to accidentally committing API keys directly into a public repository.
CVE-2025-53624 was published on 2025-07-09. The vulnerability's severity is considered critical (CVSS 10). Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation and the potential impact. While no active campaigns have been publicly reported as of this writing, the ease of discovery and potential for widespread impact suggest a high probability of exploitation. Monitor security advisories and threat intelligence feeds for any indications of exploitation attempts.
漏洞利用状态
EPSS
7.58% (92% 百分位)
CISA SSVC
CVSS 向量
The definitive mitigation for CVE-2025-53624 is to upgrade the docusaurus-plugin-content-gists plugin to version 4.0.0 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin or removing the configuration options that pass the PAT to the plugin. As a temporary workaround, carefully review your website's build artifacts for any signs of exposed tokens. While not a complete solution, implementing strict Content Security Policy (CSP) headers can help mitigate the impact by restricting the sources from which JavaScript can be loaded, reducing the likelihood of the exposed token being used maliciously. After upgrading, confirm the fix by inspecting the website's JavaScript bundles to ensure the PAT is no longer present.
Actualice el plugin `docusaurus-plugin-content-gists` a la versión 4.0.0 o superior. Esto corrige la vulnerabilidad que expone el token de acceso personal de GitHub en los archivos de compilación. Ejecute `npm update docusaurus-plugin-content-gists` o `yarn upgrade docusaurus-plugin-content-gists` para actualizar el paquete.
漏洞分析和关键警报直接发送到您的邮箱。
It's a critical vulnerability in the Docusaurus gists plugin that exposes GitHub Personal Access Tokens in production builds, allowing attackers to access sensitive data.
You are affected if you are using the docusaurus-plugin-content-gists plugin in versions prior to 4.0.0.
Upgrade the plugin to version 4.0.0 or later. If immediate upgrade is not possible, disable the plugin or remove the PAT configuration options.
No active campaigns have been reported, but the high severity and ease of exploitation suggest a high probability of future exploitation.
Refer to the Docusaurus security advisory and the CVE details on the NVD website for further information.