Storybook manager bundle may expose environment variables during build
- Severity:
- High
Description
On December 11th, the Storybook team received a responsible disclosure alerting them to a potential vulnerability in certain built and published Storybooks.
The vulnerability is a bug in how Storybook handles environment variables defined in a .env file, which could, in specific circumstances, lead to those variables being unexpectedly bundled into the artifacts created by the storybook build command.
Recommendation
Update the storybook package to the latest compatible version. Followings are version details:
Affected version(s): **>= 10.0.0, < 10.1.10 >= 9.0.0, < 9.1.17 >= 8.0.0, < 8.6.15 >= 7.0.0, < 7.6.21** Patched version(s): **10.1.10 9.1.17 8.6.15 7.6.21**
References
- GHSA-8452-54wp-rmv6
- storybook.js.org
- CVE-2025-68429
- CWE-200
- CWE-538
- CWE-541
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A5
- OWASP 2021-A6
Related Issues
- @perfood/couch-auth may expose session tokens, passwords - CVE-2025-60794
- Parse Server allows public `explain` queries which may expose sensitive database performance information and schema deta - CVE-2025-64502
- snowflake-sdk may incorrectly validate temporary credential cache file permissions - CVE-2025-24791
- MongoDB Shell may be susceptible to Control Character Injection via autocomplete - CVE-2025-1691
- Tags:
- npm
- storybook
Anything's wrong? Let us know Last updated on January 07, 2026