- Context: Cloud
- Category: Secret Leakage
- Severity: 🔴 Critical
Evidence
# Dockerfile
ARG NEXT_PUBLIC_MAPBOX_TOKEN
ENV NEXT_PUBLIC_MAPBOX_TOKEN=$NEXT_PUBLIC_MAPBOX_TOKEN
RUN pnpm run build
NEXT_PUBLIC_* variables in Next.js are inlined at build time into the JavaScript bundle. The Mapbox token is therefore embedded in the compiled static assets inside the Docker image. Any party who can:
- Pull the Docker image from a registry (even a private one with a leaked pull token)
- Extract the image layers with
docker save or dive
- Browse the
.next/static/chunks/*.js files
will find the Mapbox token in plaintext. Unlike server-side env vars that exist only at runtime, this token cannot be revoked without a full rebuild and redeployment.
Additionally, ARG values are stored in the Docker image manifest history:
$ docker history <image> --no-trunc
This prints the value of each ARG used during RUN commands.
Impact: Permanent exposure of the Mapbox token in all distributed or stored image artifacts. Tokens used in CI/CD build args are also captured in CI logs unless explicitly masked.
Affected files: Dockerfile
Evidence
NEXT_PUBLIC_*variables in Next.js are inlined at build time into the JavaScript bundle. The Mapbox token is therefore embedded in the compiled static assets inside the Docker image. Any party who can:docker saveordive.next/static/chunks/*.jsfileswill find the Mapbox token in plaintext. Unlike server-side env vars that exist only at runtime, this token cannot be revoked without a full rebuild and redeployment.
Additionally,
ARGvalues are stored in the Docker image manifest history:This prints the value of each
ARGused duringRUNcommands.Impact: Permanent exposure of the Mapbox token in all distributed or stored image artifacts. Tokens used in CI/CD build args are also captured in CI logs unless explicitly masked.
Affected files:
Dockerfile