CVE-2025-52493 - PagerDuty Cloud Runbook Exposes Secrets via Client-Side DOM
Category:Vulnerabilities & Exploits
Praetorian discovered CVE-2025-52493 during a Red Team engagement: PagerDuty Cloud Runbook's configuration page sent full cleartext secrets to the client browser, relying only on HTML password field masking for protection. Authenticated admins could expose API keys, service credentials, and tokens by simply changing input type from 'password' to 'text' in browser dev tools. The flaw exemplifies a critical anti-pattern—trusting the client with secrets. PagerDuty remediated by implementing write-only secret updates with placeholder values, eliminating server-to-client secret transmission entirely. Vulnerability disclosed June 12, patched September 12, 2025.
CORTEX Protocol Intelligence Assessment
Business Impact: Client-side password exposure risks unauthorized account takeover, data theft, and regulatory non-compliance, particularly for consumer-facing services handling PII. Technical Context: The vulnerability stems from insecure DOM-bound secret storage mapped to MITRE T1056.003 and T1552.003. Secure remediation requires strict server-side validation and elimination of secret persistence within browser-visible structures.
Strategic Intelligence Guidance
- Refactor authentication flows to ensure all password logic runs server-side.
- Implement CSP and SRI to minimize script injection risks.
- Perform a full DOM and memory review to identify residual secret storage.
- Adopt secure widget frameworks for embedded login flows and enforce zero-trust client security.
CVEs
Vendors
Threats
Targets
Intelligence Source: CVE-2025-52493 - PagerDuty Cloud Runbook Exposes Secrets via Client-Side DOM | Nov 21, 2025