CVE-2025-68429
disclosure vulnerability in storybook (npm)
What is CVE-2025-68429 About?
This vulnerability in Storybook leads to the unintentional exposure of environment variables, including sensitive secrets, when a built Storybook is published. Attackers can view the bundled source code to retrieve these variables. Exploitation occurs passively through access to the published Storybook artifact.
Affected Software
- storybook
- >=9.0.0, <9.1.17
- >=7.0.0, <7.6.21
- >=10.0.0, <10.1.10
- >=8.0.0, <8.6.15
Technical Details
The vulnerability stems from a bug in how Storybook handles environment variables defined in a .env file during the storybook build process. Under specific conditions (Storybook version 7.0.0+, .env file present at build time, containing secrets), these variables are inadvertently bundled into the final artifacts. When these artifacts are then published to a web server, their source is publicly viewable, leading to the compromise of any sensitive secrets contained within those bundled environment variables.
What is the Impact of CVE-2025-68429?
Successful exploitation may allow attackers to gain unauthorized access to sensitive information, such as API keys, database credentials, or other secrets, potentially leading to further compromise of systems or data exfiltration.
What is the Exploitability of CVE-2025-68429?
Exploitation complexity is low, as it primarily involves accessing the publicly available source code of a vulnerable, published Storybook. No authentication or special privileges are required. This is a remote vulnerability, as an attacker only needs web access to the built Storybook. Key prerequisites for a project to be vulnerable include using Storybook version 7.0.0 or above, building Storybook with a .env file containing secrets, and publishing the built Storybook to the web. The likelihood of exploitation increases with the presence of sensitive secrets in .env files during the build process and subsequent public deployment.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-68429?
About the Fix from Resolved Security
This patch prevents non-STORYBOOK_-prefixed environment variables and secrets from being exposed to the client build, ensuring only explicitly intended variables are included. By only including whitelisted variables and removing the exposure of the entire process.env object, it fixes CVE-2025-68429, which previously allowed sensitive server-side secrets (like database credentials or API keys) to be leaked to browser-accessible JavaScript.
Available Upgrade Options
- storybook
- >=7.0.0, <7.6.21 → Upgrade to 7.6.21
- storybook
- >=8.0.0, <8.6.15 → Upgrade to 8.6.15
- storybook
- >=9.0.0, <9.1.17 → Upgrade to 9.1.17
- storybook
- >=10.0.0, <10.1.10 → Upgrade to 10.1.10
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/storybookjs/storybook/security/advisories/GHSA-8452-54wp-rmv6
- https://github.com/storybookjs/storybook/security/advisories/GHSA-8452-54wp-rmv6
- https://nvd.nist.gov/vuln/detail/CVE-2025-68429
- https://osv.dev/vulnerability/GHSA-8452-54wp-rmv6
- https://github.com/storybookjs/storybook
- https://storybook.js.org/blog/security-advisory
- https://storybook.js.org/blog/security-advisory
What are Similar Vulnerabilities to CVE-2025-68429?
Similar Vulnerabilities: CVE-2022-24765 , CVE-2020-15077 , CVE-2021-3807 , CVE-2021-23382 , CVE-2023-49080
