Non-public env var exposed client-side

Why this is a good first issue

Non-public env vars are being exposed client-side contrary to documentation.

AI Summary

The issue reports that non-public environment variables (without NEXT_PUBLIC_ prefix) are being exposed client-side in the document response, which contradicts Next.js documentation. This appears to be a framework-level behavior that needs investigation and potential modification. The main blocker is determining whether this is intentional behavior or a bug.

Issue Description

Link to the code that reproduces this issue

https://github.com/joostmeijles/nextjs-private-env-var-exposed

To Reproduce

Create client-side React component with property, see ClientComponent.tsx
Use the component in a page and pass a non-public env variable, see page.tsx
Set env var SECRET to "my-secret"
Build the application
Start the application (or go to https://nextjs-private-env-var-exposed.vercel.app/)
Inspect the document response and notice that it contains "my-secret"

Current vs. Expected behavior

The non-public environment variable "SECRET" is exposed in the client-side document.

Expectation is that only environment variables prefixed with "NEXT_PUBLIC" should be exposed client-side.

Provide environment information

Operating System:
  Platform: win32
  Arch: x64
  Version: Windows 11 Pro
  Available memory (MB): 32472
  Available CPU cores: 16
Binaries:
  Node: 22.16.0
  npm: 10.9.2
  Yarn: 1.22.19
  pnpm: 10.12.1
Relevant Packages:
  next: 15.5.1-canary.11 // Latest available version is detected (15.5.1-canary.11).
  eslint-config-next: N/A
  react: 19.1.1
  react-dom: 19.1.1
  typescript: 5.9.2
Next.js Config:
  output: N/A

Which area(s) are affected? (Select all that apply)

Not sure

Which stage(s) are affected? (Select all that apply)

Vercel (Deployed), next build (local)

Additional context

No response