CVE-2025-68429

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-68429

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68429.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-68429

Aliases

GHSA-8452-54wp-rmv6

Published

2025-12-17T22:26:55.732Z

Modified

2025-12-18T21:46:52.413474Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

Storybook manager bundle may expose environment variables during build

Details

Storybook is a frontend workshop for building user interface components and pages in isolation. A vulnerability present starting in versions 7.0.0 and prior to versions 7.6.21, 8.6.15, 9.1.17, and 10.1.10 relates to Storybook’s handling of environment variables defined in a .env file, which could, in specific circumstances, lead to those variables being unexpectedly bundled into the artifacts created by the storybook build command. When a built Storybook is published to the web, the bundle’s source is viewable, thus potentially exposing those variables to anyone with access. For a project to potentially be vulnerable to this issue, it must build the Storybook (i.e. run storybook build directly or indirectly) in a directory that contains a .env file (including variants like .env.local) and publish the built Storybook to the web. Storybooks built without a .env file at build time are not affected, including common CI-based builds where secrets are provided via platform environment variables rather than .env files. Storybook runtime environments (i.e. storybook dev) are not affected. Deployed applications that share a repo with your Storybook are not affected. Users should upgrade their Storybook—on both their local machines and CI environment—to version .6.21, 8.6.15, 9.1.17, or 10.1.10 as soon as possible. Maintainers additionally recommend that users audit for any sensitive secrets provided via .env files and rotate those keys. Some projects may have been relying on the undocumented behavior at the heart of this issue and will need to change how they reference environment variables after this update. If a project can no longer read necessary environmental variable values, either prefix the variables with STORYBOOK_ or use the env property in Storybook’s configuration to manually specify values. In either case, do not include sensitive secrets as they will be included in the built bundle.

Database specific

{
    "cwe_ids": [
        "CWE-200",
        "CWE-538",
        "CWE-541"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68429.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/storybookjs/storybook

Affected ranges

Type

GIT

Repo

https://github.com/storybookjs/storybook

Events

Introduced

4f2afa644d7f2833181fc03187f5597d442285a6

Fixed

8f19cc2186ca5c4a484ed1a349c9d5346f2c350b

Database specific

{
    "versions": [
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.6.21"
        }
    ]
}

Type

GIT

Repo

https://github.com/storybookjs/storybook

Events

Introduced

49f18e828c3c543f1498ca57347c9f19b09fdc11

Fixed

3812b43cbb4ac5fec5fb681267e2d79d32b32b48

Database specific

{
    "versions": [
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.6.15"
        }
    ]
}

Type

GIT

Repo

https://github.com/storybookjs/storybook

Events

Introduced

5dd81ae54583e9d445c515fa6640f26de0056592

Fixed

d0d5a3d645df3493ad935e321d1ef101679cfc2e

Database specific

{
    "versions": [
        {
            "introduced": "9.0.0"
        },
        {
            "fixed": "9.1.17"
        }
    ]
}

Type

GIT

Repo

https://github.com/storybookjs/storybook

Events

Introduced

88a02e67cd158c174542912961d4d2a75fb65d75

Fixed

cf9d34727b9c29bbede73df10c0824088982909e

Database specific

{
    "versions": [
        {
            "introduced": "10.0.0"
        },
        {
            "fixed": "10.1.10"
        }
    ]
}

Affected versions

7.*

7.6.20

v10.*

v10.0.0

v10.1.0

v10.1.0-alpha.0

v10.1.0-alpha.1

v10.1.0-alpha.10

v10.1.0-alpha.11

v10.1.0-alpha.12

v10.1.0-alpha.13

v10.1.0-alpha.14

v10.1.0-alpha.2

v10.1.0-alpha.3

v10.1.0-alpha.4

v10.1.0-alpha.5

v10.1.0-alpha.6

v10.1.0-alpha.7

v10.1.0-alpha.8

v10.1.0-alpha.9

v10.1.0-beta.0

v10.1.0-beta.1

v10.1.0-beta.2

v10.1.0-beta.3

v10.1.0-beta.4

v10.1.0-beta.5

v10.1.0-beta.6

v10.1.1

v10.1.2

v10.1.3

v10.1.4

v10.1.5

v10.1.6

v10.1.7

v10.1.8

v10.1.9

v7.*

v7.0.0

v7.0.1

v7.0.10

v7.0.11

v7.0.12

v7.0.13

v7.0.14

v7.0.15

v7.0.16

v7.0.17

v7.0.18

v7.0.19

v7.0.2

v7.0.20

v7.0.21

v7.0.22

v7.0.23

v7.0.24

v7.0.25

v7.0.26

v7.0.27

v7.0.3

v7.0.4

v7.0.5

v7.0.6

v7.0.7

v7.0.8

v7.0.9

v7.1.0

v7.1.0-alpha.0

v7.1.0-alpha.1

v7.1.0-alpha.10

v7.1.0-alpha.11

v7.1.0-alpha.12

v7.1.0-alpha.13

v7.1.0-alpha.14

v7.1.0-alpha.15

v7.1.0-alpha.16

v7.1.0-alpha.17

v7.1.0-alpha.18

v7.1.0-alpha.19

v7.1.0-alpha.2

v7.1.0-alpha.20

v7.1.0-alpha.21

v7.1.0-alpha.22

v7.1.0-alpha.23

v7.1.0-alpha.24

v7.1.0-alpha.25

v7.1.0-alpha.26

v7.1.0-alpha.27

v7.1.0-alpha.28

v7.1.0-alpha.29

v7.1.0-alpha.3

v7.1.0-alpha.30

v7.1.0-alpha.31

v7.1.0-alpha.32

v7.1.0-alpha.33

v7.1.0-alpha.34

v7.1.0-alpha.35

v7.1.0-alpha.36

v7.1.0-alpha.37

v7.1.0-alpha.38

v7.1.0-alpha.39

v7.1.0-alpha.4

v7.1.0-alpha.40

v7.1.0-alpha.41

v7.1.0-alpha.42

v7.1.0-alpha.43

v7.1.0-alpha.44

v7.1.0-alpha.5

v7.1.0-alpha.6

v7.1.0-alpha.7

v7.1.0-alpha.8

v7.1.0-alpha.9

v7.1.0-beta.0

v7.1.0-beta.1

v7.1.0-beta.2

v7.1.0-beta.3

v7.1.0-rc.0

v7.1.0-rc.1

v7.1.0-rc.2

v7.1.1

v7.2.0

v7.2.0-alpha.0

v7.2.0-rc.0

v7.2.1

v7.2.2-alpha.0

v7.2.2-alpha.1

v7.3.0

v7.3.0-alpha.0

v7.3.1

v7.3.2

v7.4.0

v7.4.0-alpha.0

v7.4.0-alpha.1

v7.4.0-alpha.2

v7.4.1

v7.4.2

v7.4.3

v7.4.4

v7.4.5

v7.4.6

v7.5.0

v7.5.0-alpha.0

v7.5.0-alpha.1

v7.5.0-alpha.2

v7.5.0-alpha.3

v7.5.0-alpha.4

v7.5.0-alpha.5

v7.5.0-alpha.6

v7.5.0-alpha.7

v7.5.1

v7.5.2

v7.5.3

v7.6.0

v7.6.0-alpha.0

v7.6.0-alpha.1

v7.6.0-alpha.2

v7.6.0-alpha.3

v7.6.0-alpha.4

v7.6.0-alpha.5

v7.6.0-alpha.6

v7.6.0-alpha.7

v7.6.0-beta.0

v7.6.0-beta.1

v7.6.0-beta.2

v7.6.1

v7.6.10

v7.6.11

v7.6.12

v7.6.13

v7.6.14

v7.6.15

v7.6.16

v7.6.17

v7.6.18

v7.6.19

v7.6.2

v7.6.3

v7.6.4

v7.6.5

v7.6.6

v7.6.7

v7.6.8

v7.6.9

v8.*

v8.0.0

v8.0.1

v8.0.10

v8.0.2

v8.0.3

v8.0.4

v8.0.5

v8.0.6

v8.0.7

v8.0.8

v8.0.9

v8.1.0

v8.1.0-alpha.0

v8.1.0-alpha.1

v8.1.0-alpha.2

v8.1.0-alpha.3

v8.1.0-alpha.4

v8.1.0-alpha.5

v8.1.0-alpha.6

v8.1.0-alpha.7

v8.1.0-alpha.8

v8.1.0-beta.0

v8.1.0-beta.1

v8.2.0

v8.2.0-alpha.0

v8.2.0-alpha.1

v8.2.0-alpha.10

v8.2.0-alpha.2

v8.2.0-alpha.3

v8.2.0-alpha.4

v8.2.0-alpha.5

v8.2.0-alpha.6

v8.2.0-alpha.7

v8.2.0-alpha.8

v8.2.0-alpha.9

v8.2.0-beta.0

v8.2.0-beta.1

v8.2.0-beta.2

v8.2.0-beta.3

v8.3.0

v8.3.0-alpha.0

v8.3.0-alpha.1

v8.3.0-alpha.10

v8.3.0-alpha.11

v8.3.0-alpha.2

v8.3.0-alpha.3

v8.3.0-alpha.4

v8.3.0-alpha.5

v8.3.0-alpha.6

v8.3.0-alpha.7

v8.3.0-alpha.8

v8.3.0-alpha.9

v8.3.0-beta.0

v8.3.0-beta.1

v8.3.0-beta.2

v8.3.0-beta.3

v8.3.0-beta.4

v8.3.0-beta.5

v8.4.0

v8.4.0-alpha.0

v8.4.0-alpha.1

v8.4.0-alpha.2

v8.4.0-alpha.3

v8.4.0-alpha.4

v8.4.0-alpha.5

v8.4.0-alpha.6

v8.4.0-alpha.7

v8.4.0-alpha.8

v8.4.0-beta.0

v8.4.0-beta.1

v8.4.0-beta.2

v8.4.0-beta.3

v8.4.0-beta.4

v8.4.0-beta.5

v8.5.0

v8.5.0-alpha.0

v8.5.0-alpha.1

v8.5.0-alpha.10

v8.5.0-alpha.11

v8.5.0-alpha.12

v8.5.0-alpha.13

v8.5.0-alpha.14

v8.5.0-alpha.15

v8.5.0-alpha.16

v8.5.0-alpha.17

v8.5.0-alpha.18

v8.5.0-alpha.19

v8.5.0-alpha.2

v8.5.0-alpha.20

v8.5.0-alpha.21

v8.5.0-alpha.22

v8.5.0-alpha.3

v8.5.0-alpha.4

v8.5.0-alpha.5

v8.5.0-alpha.6

v8.5.0-alpha.7

v8.5.0-alpha.8

v8.5.0-alpha.9

v8.5.0-beta.0

v8.5.0-beta.1

v8.5.0-beta.10

v8.5.0-beta.11

v8.5.0-beta.2

v8.5.0-beta.3

v8.5.0-beta.4

v8.5.0-beta.5

v8.5.0-beta.6

v8.5.0-beta.7

v8.5.0-beta.8

v8.5.0-beta.9

v8.6.0

v8.6.0-alpha.0

v8.6.0-alpha.1

v8.6.0-alpha.2

v8.6.0-alpha.3

v8.6.0-alpha.4

v8.6.0-alpha.5

v8.6.0-beta.0

v8.6.0-beta.1

v8.6.0-beta.10

v8.6.0-beta.2

v8.6.0-beta.3

v8.6.0-beta.4

v8.6.0-beta.5

v8.6.0-beta.6

v8.6.0-beta.7

v8.6.0-beta.8

v8.6.0-beta.9

v8.6.1

v8.6.10

v8.6.11

v8.6.12

v8.6.13

v8.6.14

v8.6.2

v8.6.3

v8.6.4

v8.6.5

v8.6.6

v8.6.7

v8.6.8

v8.6.9

v9.*

v9.0.0

v9.1.0

v9.1.0-alpha.0

v9.1.0-alpha.1

v9.1.0-alpha.10

v9.1.0-alpha.2

v9.1.0-alpha.3

v9.1.0-alpha.4

v9.1.0-alpha.5

v9.1.0-alpha.6

v9.1.0-alpha.7

v9.1.0-alpha.8

v9.1.0-alpha.9

v9.1.0-beta.0

v9.1.0-beta.1

v9.1.0-beta.2

v9.1.0-beta.3

v9.1.1

v9.1.10

v9.1.11

v9.1.12

v9.1.13

v9.1.14

v9.1.15

v9.1.16

v9.1.2

v9.1.3

v9.1.4

v9.1.5

v9.1.6

v9.1.7

v9.1.8

v9.1.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68429.json"