CVE-2025-53624
Docusaurus · docusaurus-plugin-content-gists
A critical information disclosure vulnerability in the docusaurus-plugin-content-gists plugin allows unauthorized access to private or sensitive GitHub Gists.
Executive summary
Docusaurus users are at risk of sensitive information disclosure due to a flaw in the docusaurus-plugin-content-gists plugin versions prior to 4.0.0.
Vulnerability
The vulnerability involves an improper data exposure flaw where the plugin inadvertently displays sensitive or private GitHub Gists on public-facing pages. This is an unauthenticated vulnerability where any visitor to the site could potentially view content not intended for public consumption.
Business impact
With a CVSS score of 10.0, this represents a maximum-severity risk. Exposure of private Gists could lead to the leakage of proprietary code, API keys, credentials, or other sensitive configuration data, resulting in severe reputational damage and potential downstream security breaches.
Remediation
Immediate Action: Upgrade the docusaurus-plugin-content-gists package to version 4.0.0 or later immediately.
Proactive Monitoring: Review existing public pages to ensure no unintended sensitive data is currently being exposed; conduct a search for leaked credentials within previously indexed Gists.
Compensating Controls: Temporarily disable the plugin if an immediate upgrade is not feasible to prevent further unauthorized data exposure.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
This vulnerability is classified as critical due to the high likelihood of sensitive data exposure. All Docusaurus instances utilizing this plugin must be updated to version 4.0.0 or higher immediately to close the information disclosure vector.