Storybook manager bundle may expose environment variables during build
- Severity:
- High
Description
On December 11th, the Storybook team received a responsible disclosure alerting them to a potential vulnerability in certain built and published Storybooks.
The vulnerability is a bug in how Storybook handles environment variables defined in a .env file, which could, in specific circumstances, lead to those variables being unexpectedly bundled into the artifacts created by the storybook build command.
Recommendation
Update the storybook package to the latest compatible version. Followings are version details:
Affected version(s): **>= 10.0.0, < 10.1.10 >= 9.0.0, < 9.1.17 >= 8.0.0, < 8.6.15 >= 7.0.0, < 7.6.21** Patched version(s): **10.1.10 9.1.17 8.6.15 7.6.21**
References
- GHSA-8452-54wp-rmv6
- storybook.js.org
- CVE-2025-68429
- CWE-200
- CWE-538
- CWE-541
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A5
- OWASP 2021-A6
Related Issues
- enclave-vm Vulnerable to Sandbox Escape via Host Error Prototype Chain - CVE-2026-22686
- Predictable results in nanoid generation when given non-integer values - CVE-2024-55565
- HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-59155
- OpenList (frontend) allows XSS Attacks in the built-in Markdown Viewer - CVE-2025-50183
- Tags:
- npm
- storybook
Anything's wrong? Let us know Last updated on January 07, 2026