Matt G

**Name of the Vulnerable Software and Affected Versions** Storybook versions prior to 7.6.21 Storybook versions prior to 8.6.15 Storybook versions prior to 9.1.17 Storybook versions prior to 10.1.10 **Description** Storybook’s handling of environment variables defined in a `.env` file can, in certain situations, result in those variables being included in the artifacts created by the `storybook build` command. When a built Storybook is published to the web, the bundle’s source is accessible, potentially exposing these variables. A project is potentially affected if it builds the Storybook with a `.env` file (including `.env.local`) in the build directory and publishes the built Storybook to the web. Storybooks built without a `.env` file at build time are not affected. Storybook runtime environments (e.g., `storybook dev`) are not affected, and deployed applications sharing a repository with the Storybook are also not affected. To mitigate this, users should upgrade their Storybook and audit for sensitive secrets provided via `.env` files, rotating those keys as needed. If environment variable values are no longer readable after the update, prefix the variables with `STORYBOOK ` or use the `env` property in Storybook’s configuration to manually specify values. **Recommendations** Upgrade Storybook to version 7.6.21 or later. Upgrade Storybook to version 8.6.15 or later. Upgrade Storybook to version 9.1.17 or later. Upgrade Storybook to version 10.1.10 or later. Audit for any sensitive secrets provided via `.env` files and rotate those keys. If necessary, prefix environment variables with `STORYBOOK `. Alternatively, use the `env` property in Storybook’s configuration to manually specify environment variable values.