Download our Latest Industry Report – Continuous Offensive Security Outlook 2026

Download Report
Back to Vulnerability List

PagerDuty: PagerDuty Cloud Runbook: Client-Side Secret Exposure in Configuration Page

CVE-2025-52493 Medium Published
CVSS
6.5 Medium · Network · Low PR
EPSS
0.00037 0.0% chance of exploit in 30d
CWE
CWE-200 Information Exposure
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

Per NVD: “PagerDuty Runbook through 2025-06-12 exposes stored secrets directly in the webpage DOM at the configuration page. Although these secrets appear masked as password fields, the actual secret values are present in the page source and can be revealed by simply modifying the input field type from ‘password’ to ‘text’ using browser developer tools. This vulnerability is exploitable by administrative users.”

Affected Packages / Versions

  • Package: PagerDuty Cloud Runbook (SaaS)
  • Latest published version at triage time: PagerDuty Runbook through 2025-06-12 (per NVD)
  • Affected range: PagerDuty Runbook through 2025-06-12 (per NVD)
  • Patched version: Server-side fix deployed by PagerDuty (no customer action required)

Impact

Per Praetorian’s blog: “While this vulnerability required administrative privileges to exploit, its implications align perfectly with modern attack patterns. Today’s adversaries prioritize ‘living off the land’ – using legitimate tools and interfaces to avoid detection while harvesting credentials for lateral movement. A single compromised admin account with access to this dashboard could extract API keys, service credentials, and tokens for numerous integrated systems.”

Severity Rationale

NVD CVSS 6.5 (Medium): network AV, low complexity, low privileges (administrative access to the configuration page) required, confidentiality-only impact.

Fix

Per Praetorian’s blog: “The fundamental issue here wasn’t the password field implementation – it was sending the secrets to the client at all.” PagerDuty deployed the fix server-side; no customer action is required. Operators should rotate any secret stored in the Runbook configuration page that was visible to administrators during the exposure window.

Disclosure timeline

  • Jun 12, 2025Reported to vendor (per Praetorian cve-research listing)
  • TBDServer-side fix deployed by PagerDuty
  • Nov 20, 2025Public disclosure (per Praetorian cve-research listing)

Fix Commit(s)

    References

    Discovered by Mario Bartolome and Carter Ross · Published April 29, 2026