CVE-2025-68429
Environment Variable Exposure in Storybook Build Artifacts
Publication date: 2025-12-17
Last updated on: 2026-04-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| storybook | storybook | From 10.0.0 (inc) to 10.1.10 (exc) |
| storybook | storybook | From 7.0.0 (inc) to 7.6.21 (exc) |
| storybook | storybook | From 8.0.0 (inc) to 8.6.15 (exc) |
| storybook | storybook | From 9.0.0 (inc) to 9.1.17 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-541 | If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system. |
| CWE-538 | The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Storybook affects versions starting from 7.0.0 up to versions prior to 7.6.21, 8.6.15, 9.1.17, and 10.1.10. It involves the handling of environment variables defined in a `.env` file during the build process (`storybook build`). Under certain conditions, these environment variables can be unintentionally included in the built Storybook artifacts. When the built Storybook is published on the web, the source code bundle is viewable, potentially exposing these environment variables to anyone who accesses it. The vulnerability only affects builds done in directories containing `.env` files and does not affect runtime environments or deployed applications sharing the repo. Users are advised to upgrade to fixed versions and audit their `.env` files for sensitive data.
How can this vulnerability impact me? :
If you build and publish a Storybook project in a directory containing a `.env` file, sensitive environment variables such as secrets or keys may be unintentionally included in the publicly accessible build artifacts. This exposure can lead to unauthorized access to sensitive information, potentially compromising security, integrity, and availability of your systems or data. It may also require you to rotate any exposed keys or secrets to mitigate the risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if your Storybook build process runs in a directory containing a `.env` file (including variants like `.env.local`) and if the built Storybook is published to the web. To check for `.env` files, you can run commands like `find . -name ".env*"` in your project directory. Additionally, inspect the built Storybook artifacts for any exposed environment variables by searching for sensitive keys in the build output files.
What immediate steps should I take to mitigate this vulnerability?
Immediately upgrade your Storybook versions to 7.6.21, 8.6.15, 9.1.17, or 10.1.10 on both local machines and CI environments. Audit your `.env` files for any sensitive secrets and rotate those keys. Avoid including sensitive secrets in `.env` files used during the build. If your project can no longer read necessary environment variables after upgrading, prefix variables with `STORYBOOK_` or use the `env` property in Storybook's configuration to specify values, but do not include sensitive secrets there.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability could lead to the unintended exposure of environment variables, which may include sensitive secrets, when a Storybook build is published to the web. Such exposure of sensitive data could potentially result in non-compliance with data protection standards and regulations like GDPR or HIPAA, which require the protection of confidential information. Therefore, organizations using affected versions of Storybook should upgrade and audit their environment variables to prevent accidental data leaks that might violate these compliance requirements.