CVE-2025-68429
📋 TL;DR
A vulnerability in Storybook versions 7.0.0 through 7.6.20, 8.0.0 through 8.6.14, 9.0.0 through 9.1.16, and 10.0.0 through 10.1.9 could expose sensitive environment variables from .env files when building Storybook artifacts. If these built Storybooks are published to the web, anyone accessing them could view the exposed secrets. Only projects that build Storybook in directories containing .env files and publish the built artifacts are affected.
💻 Affected Systems
- Storybook
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sensitive secrets like API keys, database credentials, or authentication tokens are exposed publicly, leading to unauthorized access to backend systems, data breaches, or account compromise.
Likely Case
Development or staging environment secrets are exposed, potentially allowing attackers to access internal systems or escalate privileges in non-production environments.
If Mitigated
No exposure occurs if .env files are not present during build time or if built Storybooks are not published to publicly accessible locations.
🎯 Exploit Status
Exploitation requires accessing published Storybook artifacts and viewing source code. No authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.6.21, 8.6.15, 9.1.17, or 10.1.10
Vendor Advisory: https://github.com/storybookjs/storybook/security/advisories/GHSA-8452-54wp-rmv6
Restart Required: No
Instructions:
1. Update Storybook package using npm: `npm update @storybook/*` or yarn: `yarn upgrade @storybook/*`. 2. Verify version matches patched versions. 3. Rebuild and redeploy Storybook artifacts.
🔧 Temporary Workarounds
Remove .env files before build
linuxEnsure .env files are not present in the build directory when running storybook build command
rm -f .env .env.local .env.* 2>/dev/null || true
storybook build
Use STORYBOOK_ prefix for environment variables
allPrefix environment variables with STORYBOOK_ to prevent bundling into artifacts
🧯 If You Can't Patch
- Do not publish built Storybook artifacts to publicly accessible locations
- Audit and rotate any secrets that may have been exposed in .env files used during builds
🔍 How to Verify
Check if Vulnerable:
Check if Storybook version is within affected ranges and if .env files exist in build directoryCheck Version:
npx storybook --versionVerify Fix Applied:
Verify Storybook version is 7.6.21, 8.6.15, 9.1.17, or 10.1.10 or higher📡 Detection & Monitoring
Log Indicators:
- Build logs showing .env file presence during storybook build
Network Indicators:
- HTTP requests to published Storybook artifacts containing environment variable patterns
SIEM Query:
source="build_logs" AND "storybook build" AND (".env" OR "environment variable")