CVE-2025-53624
CRITICAL NUCLEIDocusaurus-plugin-content-gists <4.0.0 - Info Disclosure
Title source: llmExploitation Summary
CVE-2025-53624 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code. This vulnerability is fixed in 4.0.0.
Nuclei Templates (1)
Docusaurus Gists Plugin < 4.0.0 - GitHub Personal Access Token Exposure
HIGHVERIFIEDby darses
Shodan:
http.html:"Docusaurus"
FOFA:
body="Docusaurus"
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/webbertakken/docusaurus-plugin-content-gists/security/advisories/GHSA-qf34-qpr4-5pph
Scores
CVSS v3
10.0
EPSS
0.1437
EPSS Percentile
94.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-200
Status
published
Products (2)
npm/docusaurus-plugin-content-gists
0 - 4.0.0npm
webbertakken/docusaurus-plugin-content-gists
< 4.0.0
Published
Jul 09, 2025
Tracked Since
Feb 18, 2026