Storybook manager bundle may expose environment variables during build
- Severity:
- High
Description
On December 11th, the Storybook team received a responsible disclosure alerting them to a potential vulnerability in certain built and published Storybooks.
The vulnerability is a bug in how Storybook handles environment variables defined in a .env file, which could, in specific circumstances, lead to those variables being unexpectedly bundled into the artifacts created by the storybook build command.
Recommendation
Update the storybook package to the latest compatible version. Followings are version details:
Affected version(s): **>= 10.0.0, < 10.1.10 >= 9.0.0, < 9.1.17 >= 8.0.0, < 8.6.15 >= 7.0.0, < 7.6.21** Patched version(s): **10.1.10 9.1.17 8.6.15 7.6.21**
References
- GHSA-8452-54wp-rmv6
- storybook.js.org
- CVE-2025-68429
- CWE-200
- CWE-538
- CWE-541
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A5
- OWASP 2021-A6
Related Issues
- Parse Server allows public `explain` queries which may expose sensitive database performance information and schema deta - CVE-2025-64502
- @perfood/couch-auth may expose session tokens, passwords - CVE-2025-60794
- webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior - CVE-2025-68458
- Vite middleware may serve files starting with the same name with the public directory - CVE-2025-58751
You might also like:
- Tags:
- npm
- storybook
Anything's wrong? Let us know Last updated on January 07, 2026