Docusaurus Gists Plugin GitHub Personal Access Token Exposure Vulnerability

A vulnerability exists in the Docusaurus gists plugin, specifically in versions prior to 4.0.0. When GitHub Personal Access Tokens (PATs) are included through plugin configuration options, they can be inadvertently exposed in production build artifacts. This exposure occurs because the tokens, meant for build-time API access, are included in client-side JavaScript bundles. As a result, anyone who can access the website's source code can retrieve the token. The vulnerability has been addressed in version 4.0.0.

Impact

The vulnerability allows for the extraction of GitHub Personal Access Tokens from the website's JavaScript files. Once obtained, these tokens can be used to access the owner's GitHub account, potentially leading to unauthorized access to private gists, repositories, or other actions depending on the token's permissions.

Reproduction

To reproduce this vulnerability, use a version of the Docusaurus gists plugin prior to 4.0.0. Include a GitHub Personal Access Token in the plugin configuration. After building the Docusaurus site for production, the token will be exposed in the client-side JavaScript bundle, specifically in the main.[hash].js file.

Remediation

Users should update to Docusaurus gists plugin version 4.0.0 or later. After updating, remove the personalAccessToken option from the plugin configuration and ensure that the GH_PERSONAL_ACCESS_TOKEN environment variable is set in the build environment.