CVE-2025-53624: docusaurus-plugin-content-gists vulnerability exposes GitHub Personal Access Token
docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website’s source code.
References
- github.com/advisories/GHSA-qf34-qpr4-5pph
- github.com/webbertakken/docusaurus-plugin-content-gists
- github.com/webbertakken/docusaurus-plugin-content-gists/commit/8d4230b82412edb215ddfa9e609d178510a5fe31
- github.com/webbertakken/docusaurus-plugin-content-gists/security/advisories/GHSA-qf34-qpr4-5pph
- nvd.nist.gov/vuln/detail/CVE-2025-53624
Code Behaviors & Features
Detect and mitigate CVE-2025-53624 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →