How to fix CVE-2025-68429?

Within 24 hours: Audit all published Storybook instances for sensitive data exposure by reviewing build artifacts in `.storybook/dist` or equivalent output directories; immediately remove any exposed credentials from production. Within 7 days: Identify all projects running Storybook 7.0.0-10.1.9; move `.env` files outside the Storybook build directory or use environment-specific configuration files that exclude secrets. Within 30 days: Implement a pre-build validation step to detect `.env` file presence in build paths; monitor vendor advisories for patch release and upgrade to patched version immediately upon availability; configure CI/CD to fail builds if environment variables are detected in bundle output.

Is Storybook affected by CVE-2025-68429?

Storybook versions 7.0.0-10.1.9 for Node.js contain an information disclosure vulnerability that exposes environment variables from `.env` files into publicly accessible build artifacts.

CVE-2025-68429

HIGH

2025-12-17 [email protected]

7.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch Released

Apr 10, 2026 - 20:30 nvd

Patch available

Analysis Generated

Apr 10, 2026 - 17:37 vuln.today

CVE Published

Dec 17, 2025 - 23:16 nvd

HIGH 7.3

Description

Storybook is a frontend workshop for building user interface components and pages in isolation. A vulnerability present starting in versions 7.0.0 and prior to versions 7.6.21, 8.6.15, 9.1.17, and 10.1.10 relates to Storybook’s handling of environment variables defined in a `.env` file, which could, in specific circumstances, lead to those variables being unexpectedly bundled into the artifacts created by the `storybook build` command. When a built Storybook is published to the web, the bundle’s source is viewable, thus potentially exposing those variables to anyone with access. For a project to potentially be vulnerable to this issue, it must build the Storybook (i.e. run `storybook build` directly or indirectly) in a directory that contains a `.env` file (including variants like `.env.local`) and publish the built Storybook to the web. Storybooks built without a `.env` file at build time are not affected, including common CI-based builds where secrets are provided via platform environment variables rather than `.env` files. Storybook runtime environments (i.e. `storybook dev`) are not affected. Deployed applications that share a repo with your Storybook are not affected. Users should upgrade their Storybook-on both their local machines and CI environment-to version .6.21, 8.6.15, 9.1.17, or 10.1.10 as soon as possible. Maintainers additionally recommend that users audit for any sensitive secrets provided via `.env` files and rotate those keys. Some projects may have been relying on the undocumented behavior at the heart of this issue and will need to change how they reference environment variables after this update. If a project can no longer read necessary environmental variable values, either prefix the variables with `STORYBOOK_` or use the `env` property in Storybook’s configuration to manually specify values. In either case, do not include sensitive secrets as they will be included in the built bundle.

Analysis

Information disclosure in Storybook for Node.js versions 7.0.0 through 10.1.9 exposes environment variables from .env files when using storybook build command. Unpatched projects building Storybook in directories containing .env files risk bundling sensitive credentials into publicly viewable artifacts. Unauthenticated attackers accessing published Storybook bundles can extract secrets from source code. Runtime dev mode, CI builds using platform environment variables, and co-located applications remain unaffected. No public exploit identified at time of analysis.

Technical Context

CWE-200 information exposure stems from improper handling of dotenv file parsing during build bundling. Environment variables from `.env`, `.env.local` variants are inadvertently included in webpack/vite bundle output without explicit STORYBOOK_ prefix filtering. Affected Node.js Storybook builder code fails to distinguish build-time secrets from intended client-side configuration variables.

Affected Products

Storybook for Node.js, vendor Storybook. Vulnerable versions: 7.0.0 to 7.6.20, 8.0.0 to 8.6.14, 9.0.0 to 9.1.16, 10.0.0 to 10.1.9. CPE: cpe:2.3:a:storybook:storybook:*:*:*:*:*:node.js:*:*

Remediation

Vendor-released patches: upgrade to Storybook 7.6.21, 8.6.15, 9.1.17, or 10.1.10 immediately on local development machines and CI environments. After upgrading, audit all `.env` files for exposed secrets and rotate compromised credentials including API keys, database passwords, and authentication tokens. Projects dependent on undocumented `.env` bundling behavior must migrate to STORYBOOK_ prefixed variables or explicitly define values via Storybook's `env` configuration property-do not include sensitive data in either approach as patched versions exclude non-prefixed variables but still bundle STORYBOOK_ values. Official advisory with migration guidance: https://github.com/storybookjs/storybook/security/advisories/GHSA-8452-54wp-rmv6

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +36

POC: 0

CVE-2025-68429 vulnerability details – vuln.today

Back

CVE-2025-68429

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-68429

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code