Storybook Vulnerability Exposes Sensitive Environment Variables

CVE Notify is flagging a significant vulnerability, CVE-2025-68429, impacting Storybook versions prior to 7.6.21, 8.6.15, 9.1.17, and 10.1.10. The issue stems from how Storybook handles environment variables defined in .env files during the build process (storybook build). In specific scenarios, these variables can be inadvertently bundled into the final build artifacts. When a built Storybook is deployed and made publicly accessible on the web, the source code is often viewable, creating a risk of exposing sensitive information like API keys or other secrets.

According to CVE Notify, a project is susceptible if it builds its Storybook in a directory containing a .env file (including variants like .env.local) and subsequently publishes the built Storybook online. It’s crucial to note that Storybooks built without a .env file present at build time, or those built in CI environments where secrets are managed differently (e.g., platform environment variables), are not affected. Furthermore, the vulnerability does not impact Storybook’s runtime development environment (storybook dev) or separate deployed applications sharing a repository with the Storybook.

To mitigate this risk, CVE Notify strongly advises users to upgrade their Storybook installations to the patched versions (7.6.21, 8.6.15, 9.1.17, or 10.1.10) on both local development machines and CI/CD pipelines. Beyond upgrading, maintainers recommend a thorough audit of .env files for any sensitive secrets and suggest rotating compromised keys immediately. Projects that previously relied on this undocumented behavior might need to adjust their environment variable handling. If necessary, prefixing variables with STORYBOOK_ or explicitly defining them in the Storybook configuration (env property) are suggested workarounds, but the core advice remains: never commit sensitive secrets to .env files destined for public-facing builds.