CVE-2025-52493 is a vulnerability affecting PagerDuty Runbook versions up to 2025-06-12, where stored secrets such as API keys or credentials are embedded directly in the webpage Document Object Model (DOM) on the configuration page. These secrets are displayed in input fields styled as password fields, which visually mask the values. However, the actual secret values remain present in the HTML source code of the page. An attacker or malicious administrator with access to the configuration page can use browser developer tools to change the input field type attribute from "password" to "text," thereby revealing the plaintext secrets. This vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 6.5, reflecting a medium severity level, with the vector indicating network attack vector, low attack complexity, requiring privileges (administrative), no user interaction, and high confidentiality impact but no impact on integrity or availability. Exploitation requires administrative privileges, so it is not remotely exploitable by unauthorized users but poses a risk if administrative accounts are compromised or misused. There are no patches or known exploits publicly available at this time. The vulnerability highlights a design flaw in how secrets are handled and displayed in the web interface, exposing sensitive data unnecessarily in the client-side code.

For European organizations, this vulnerability poses a significant confidentiality risk. If an attacker gains administrative access—whether through credential compromise, insider threat, or privilege escalation—they can easily extract sensitive secrets such as API keys or credentials from the PagerDuty Runbook configuration page. These secrets could then be used to pivot to other systems, escalate privileges, or disrupt incident response workflows. Given PagerDuty's role in incident management and operational continuity, exposure of secrets could lead to delayed or impaired response to security incidents, increasing overall organizational risk. The vulnerability does not directly affect system integrity or availability but undermines trust in the security of operational tooling. Organizations with strict data protection regulations, such as GDPR, may face compliance risks if secret leakage leads to broader data breaches. The risk is heightened in environments where administrative access controls are weak or where multiple administrators share credentials. Since no known exploits exist yet, the immediate risk is moderate, but the potential impact of secret exposure warrants prompt mitigation.

Organizations should immediately audit administrative access to PagerDuty Runbook and restrict it to trusted personnel only. Implement strong multi-factor authentication (MFA) for all administrative accounts to reduce the risk of unauthorized access. Review and rotate any secrets stored or displayed in the configuration page to invalidate potentially exposed credentials. Avoid storing sensitive secrets in client-side code or web page DOM; request that PagerDuty apply a fix to prevent secrets from being embedded in the page source, such as fetching secrets securely server-side or masking them properly without exposing plaintext values. Monitor administrative activity logs for suspicious access patterns. Educate administrators about the risk of using browser developer tools to reveal secrets and the importance of safeguarding credentials. Until a patch is released, consider limiting access to the configuration page via network segmentation or VPN restrictions. Regularly check for PagerDuty security advisories and apply patches promptly once available.