CVE-2025-68429: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in storybookjs storybook
Storybook is a frontend workshop for building user interface components and pages in isolation. A vulnerability present starting in versions 7.0.0 and prior to versions 7.6.21, 8.6.15, 9.1.17, and 10.1.10 relates to Storybook’s handling of environment variables defined in a `.env` file, which could, in specific circumstances, lead to those variables being unexpectedly bundled into the artifacts created by the `storybook build` command. When a built Storybook is published to the web, the bundle’s source is viewable, thus potentially exposing those variables to anyone with access. For a project to potentially be vulnerable to this issue, it must build the Storybook (i.e. run `storybook build` directly or indirectly) in a directory that contains a `.env` file (including variants like `.env.local`) and publish the built Storybook to the web. Storybooks built without a `.env` file at build time are not affected, including common CI-based builds where secrets are provided via platform environment variables rather than `.env` files. Storybook runtime environments (i.e. `storybook dev`) are not affected. Deployed applications that share a repo with your Storybook are not affected. Users should upgrade their Storybook—on both their local machines and CI environment—to version .6.21, 8.6.15, 9.1.17, or 10.1.10 as soon as possible. Maintainers additionally recommend that users audit for any sensitive secrets provided via `.env` files and rotate those keys. Some projects may have been relying on the undocumented behavior at the heart of this issue and will need to change how they reference environment variables after this update. If a project can no longer read necessary environmental variable values, either prefix the variables with `STORYBOOK_` or use the `env` property in Storybook’s configuration to manually specify values. In either case, do not include sensitive secrets as they will be included in the built bundle.
AI Analysis
Technical Summary
CVE-2025-68429 is a vulnerability in Storybook, a widely used frontend development tool that allows developers to build UI components in isolation. The flaw arises from how Storybook handles environment variables defined in .env files during the static build process initiated by the 'storybook build' command. Specifically, when a .env file is present in the build directory, Storybook may inadvertently bundle these environment variables—including sensitive secrets such as API keys or credentials—into the generated static artifacts. Since these artifacts are often published to public or internal web servers, the bundled source code becomes accessible to anyone with access, leading to exposure of sensitive information to unauthorized actors. This issue affects Storybook versions starting from 7.0.0 up to but excluding versions 7.6.21, 8.6.15, 9.1.17, and 10.1.10. Notably, builds performed without .env files, such as those using CI environments that inject secrets via platform environment variables, are not vulnerable. The vulnerability does not impact the Storybook runtime environment ('storybook dev') or deployed applications that share the same repository. The root cause is an undocumented behavior in Storybook’s environment variable handling that was unintentionally exposing secrets. To remediate, users must upgrade to the fixed versions, audit their .env files for sensitive data, and rotate any exposed secrets. Additionally, projects that depended on the old behavior need to modify how environment variables are referenced, either by prefixing variables with 'STORYBOOK_' or specifying them explicitly in Storybook’s configuration, ensuring no sensitive secrets are included in the build artifacts.
Potential Impact
For European organizations, this vulnerability poses a significant risk of sensitive information leakage, particularly for companies that use Storybook to build and publish UI component libraries publicly or internally. Exposure of environment variables can lead to unauthorized access to APIs, databases, or third-party services, potentially resulting in data breaches, service disruptions, or further exploitation. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, may face compliance violations under GDPR if sensitive data is exposed. The risk is heightened for organizations that store critical secrets in .env files within the build directory and publish Storybook artifacts without proper controls. The vulnerability could facilitate lateral movement or privilege escalation if attackers leverage exposed credentials. Although no known exploits are reported in the wild yet, the ease of exploitation (no authentication or user interaction required) and the public availability of source bundles increase the likelihood of opportunistic attacks. The impact extends to the integrity and availability of services if attackers use exposed secrets to manipulate or disrupt operations.
Mitigation Recommendations
European organizations should immediately upgrade all Storybook instances—both local development environments and CI/CD pipelines—to the patched versions 7.6.21, 8.6.15, 9.1.17, or 10.1.10. Conduct a thorough audit of all .env files used during Storybook builds to identify any sensitive secrets that may have been exposed. Rotate all potentially compromised keys, tokens, and credentials promptly. Modify build processes to avoid placing .env files containing secrets in the build directory or use CI environment variables instead, as these are not bundled into the build artifacts. For projects relying on the previous behavior, refactor environment variable usage by prefixing variables with 'STORYBOOK_' or explicitly defining them in Storybook’s configuration 'env' property, ensuring no sensitive information is included. Implement access controls on published Storybook artifacts, restricting public exposure where possible. Regularly review and monitor public repositories and artifact hosting sites for accidental leaks. Incorporate automated scanning tools in CI pipelines to detect inclusion of sensitive data in build outputs. Finally, educate development teams about secure environment variable management and the risks of bundling secrets in frontend artifacts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland
CVE-2025-68429: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in storybookjs storybook
Description
Storybook is a frontend workshop for building user interface components and pages in isolation. A vulnerability present starting in versions 7.0.0 and prior to versions 7.6.21, 8.6.15, 9.1.17, and 10.1.10 relates to Storybook’s handling of environment variables defined in a `.env` file, which could, in specific circumstances, lead to those variables being unexpectedly bundled into the artifacts created by the `storybook build` command. When a built Storybook is published to the web, the bundle’s source is viewable, thus potentially exposing those variables to anyone with access. For a project to potentially be vulnerable to this issue, it must build the Storybook (i.e. run `storybook build` directly or indirectly) in a directory that contains a `.env` file (including variants like `.env.local`) and publish the built Storybook to the web. Storybooks built without a `.env` file at build time are not affected, including common CI-based builds where secrets are provided via platform environment variables rather than `.env` files. Storybook runtime environments (i.e. `storybook dev`) are not affected. Deployed applications that share a repo with your Storybook are not affected. Users should upgrade their Storybook—on both their local machines and CI environment—to version .6.21, 8.6.15, 9.1.17, or 10.1.10 as soon as possible. Maintainers additionally recommend that users audit for any sensitive secrets provided via `.env` files and rotate those keys. Some projects may have been relying on the undocumented behavior at the heart of this issue and will need to change how they reference environment variables after this update. If a project can no longer read necessary environmental variable values, either prefix the variables with `STORYBOOK_` or use the `env` property in Storybook’s configuration to manually specify values. In either case, do not include sensitive secrets as they will be included in the built bundle.
AI-Powered Analysis
Technical Analysis
CVE-2025-68429 is a vulnerability in Storybook, a widely used frontend development tool that allows developers to build UI components in isolation. The flaw arises from how Storybook handles environment variables defined in .env files during the static build process initiated by the 'storybook build' command. Specifically, when a .env file is present in the build directory, Storybook may inadvertently bundle these environment variables—including sensitive secrets such as API keys or credentials—into the generated static artifacts. Since these artifacts are often published to public or internal web servers, the bundled source code becomes accessible to anyone with access, leading to exposure of sensitive information to unauthorized actors. This issue affects Storybook versions starting from 7.0.0 up to but excluding versions 7.6.21, 8.6.15, 9.1.17, and 10.1.10. Notably, builds performed without .env files, such as those using CI environments that inject secrets via platform environment variables, are not vulnerable. The vulnerability does not impact the Storybook runtime environment ('storybook dev') or deployed applications that share the same repository. The root cause is an undocumented behavior in Storybook’s environment variable handling that was unintentionally exposing secrets. To remediate, users must upgrade to the fixed versions, audit their .env files for sensitive data, and rotate any exposed secrets. Additionally, projects that depended on the old behavior need to modify how environment variables are referenced, either by prefixing variables with 'STORYBOOK_' or specifying them explicitly in Storybook’s configuration, ensuring no sensitive secrets are included in the build artifacts.
Potential Impact
For European organizations, this vulnerability poses a significant risk of sensitive information leakage, particularly for companies that use Storybook to build and publish UI component libraries publicly or internally. Exposure of environment variables can lead to unauthorized access to APIs, databases, or third-party services, potentially resulting in data breaches, service disruptions, or further exploitation. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, may face compliance violations under GDPR if sensitive data is exposed. The risk is heightened for organizations that store critical secrets in .env files within the build directory and publish Storybook artifacts without proper controls. The vulnerability could facilitate lateral movement or privilege escalation if attackers leverage exposed credentials. Although no known exploits are reported in the wild yet, the ease of exploitation (no authentication or user interaction required) and the public availability of source bundles increase the likelihood of opportunistic attacks. The impact extends to the integrity and availability of services if attackers use exposed secrets to manipulate or disrupt operations.
Mitigation Recommendations
European organizations should immediately upgrade all Storybook instances—both local development environments and CI/CD pipelines—to the patched versions 7.6.21, 8.6.15, 9.1.17, or 10.1.10. Conduct a thorough audit of all .env files used during Storybook builds to identify any sensitive secrets that may have been exposed. Rotate all potentially compromised keys, tokens, and credentials promptly. Modify build processes to avoid placing .env files containing secrets in the build directory or use CI environment variables instead, as these are not bundled into the build artifacts. For projects relying on the previous behavior, refactor environment variable usage by prefixing variables with 'STORYBOOK_' or explicitly defining them in Storybook’s configuration 'env' property, ensuring no sensitive information is included. Implement access controls on published Storybook artifacts, restricting public exposure where possible. Regularly review and monitor public repositories and artifact hosting sites for accidental leaks. Incorporate automated scanning tools in CI pipelines to detect inclusion of sensitive data in build outputs. Finally, educate development teams about secure environment variable management and the risks of bundling secrets in frontend artifacts.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-12-17T15:29:39.379Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6943327a058703ef3fcb5caf
Added to database: 12/17/2025, 10:45:14 PM
Last enriched: 12/25/2025, 12:11:40 AM
Last updated: 2/6/2026, 5:18:30 AM
Views: 115
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-1990: NULL Pointer Dereference in oatpp
MediumCVE-2026-1979: Use After Free in mruby
MediumCVE-2026-1978: Direct Request in kalyan02 NanoCMS
MediumCVE-2026-25698
LowCVE-2026-25697
LowActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.