Key Information Vulnerability Overview Vulnerability Name: GitHub Personal Access Token Exposure in docusaurus-plugin-content-gists CVE ID: CVE-2025-53624 Severity: Critical (10.0/10) Affected Versions Affected Versions: < 4.0.0 Fixed Versions: 4.0.0 and above Description Versions of below 4.0.0 are vulnerable to exposure of GitHub Personal Access Tokens (PATs). When passed via plugin configuration options, the token is included in the client-side JavaScript bundle during production builds, making it accessible to anyone inspecting the website's source code. Impact When using affected versions with the recommended configuration pattern: The GitHub Personal Access Token is embedded in the webpack bundle and exposed in production builds at . This allows malicious actors to: Extract the GitHub Personal Access Token from the website’s JavaScript files Use the stolen token to access the token owner’s GitHub account and granted permissions Potentially access private gists, repositories, or perform other actions, depending on the token’s scope Mitigation 1. Immediately revoke access to the GitHub PAT in use: https://github.com/settings/tokens Migration Steps 1. Upgrade to version 4.0.0 or higher: 2. Remove from the plugin configuration 3. Ensure is set in the build environment