CVE-2025-68429

Name of the Vulnerable Software and Affected Versions Storybook versions prior to 7.6.21 Storybook versions prior to 8.6.15 Storybook versions prior to 9.1.17 Storybook versions prior to 10.1.10

Description Storybook’s handling of environment variables defined in a .env file can, in certain situations, result in those variables being included in the artifacts created by the storybook build command. When a built Storybook is published to the web, the bundle’s source is accessible, potentially exposing these variables. A project is potentially affected if it builds the Storybook with a .env file (including .env.local) in the build directory and publishes the built Storybook to the web. Storybooks built without a .env file at build time are not affected. Storybook runtime environments (e.g., storybook dev) are not affected, and deployed applications sharing a repository with the Storybook are also not affected. To mitigate this, users should upgrade their Storybook and audit for sensitive secrets provided via .env files, rotating those keys as needed. If environment variable values are no longer readable after the update, prefix the variables with STORYBOOK or use the env property in Storybook’s configuration to manually specify values.

Recommendations Upgrade Storybook to version 7.6.21 or later. Upgrade Storybook to version 8.6.15 or later. Upgrade Storybook to version 9.1.17 or later. Upgrade Storybook to version 10.1.10 or later. Audit for any sensitive secrets provided via .env files and rotate those keys. If necessary, prefix environment variables with STORYBOOK . Alternatively, use the env property in Storybook’s configuration to manually specify environment variable values.