Security advisory
Impacted versions 7–10. Patches available now.
On December 11th, 2025, the Storybook team received a responsible disclosure alerting us to a potential vulnerability in certain built and published Storybooks.
The vulnerability is a bug in how Storybook handles environment variables defined in a .env file, which could, in specific circumstances, lead to those variables being unexpectedly bundled into the artifacts created by the storybook build command. When a built Storybook is published to the web, the bundle’s source is viewable, thus potentially exposing those variables to anyone with access. If those variables contained secrets, they should be considered compromised.
No one has reported an exploited project to us. Once we learned of the vulnerability, we worked diligently to release patched versions and distribute a GitHub security advisory (CVE-2025-68429).
Who is impacted?
For a project to be vulnerable to this issue, it must:
- Build the Storybook (i.e. run
storybook builddirectly or indirectly) in a directory that contains a.envfile (including variants like.env.local) - The
.envfile contains sensitive secrets - Use Storybook version
7.0.0or above - Publish the built Storybook to the web
Storybooks built without a .env file at build time are not affected, including common CI-based builds where secrets are provided via platform environment variables rather than .env files.
Your Storybook runtime environments (i.e. storybook dev) are not affected. Your deployed applications that share a repo with your Storybook are not affected.
Storybook 6 and below is not affected.
Recommended actions
First, we are recommending that everyone audit for any sensitive secrets provided via .env files and rotate those keys.
Second, we have released patched versions of all affected major Storybook versions that no longer have this vulnerability. You should upgrade your Storybook—on both your local machines and CI environments—to one of these versions before publishing again.
10.1.10+9.1.17+8.6.15+7.6.21+
Finally, some projects may have been relying on the undocumented behavior at the heart of this issue and will need to change how they reference environment variables after this update. If your project can no longer read necessary environmental variable values, you can either prefix the variables with STORYBOOK_ or use the env property in Storybook’s configuration to manually specify values. In either case, do not include sensitive secrets as they will be included in the built bundle.
Issue details
Storybook can be built as a static web application. The Javascript code for Storybook’s UI, addons, and manager configuration (.storybook/manager.js|ts) is bundled into what we call the “manager code”. When bundling this code, Storybook could include all variables defined in a .env file when specific conditions were met:
1. Has a .env file
The project has a .env (or .env.local, .env.dev, etc.) file in the directory from which the Storybook is built and published (typically the project root). Storybook is built by the storybook build command, which may be run indirectly through commands like chromatic. For example, your local filesystem contains a .env file and you run storybook build in your CLI. Or, your CI environment uses a .env file and you build Storybook there.
2. Uses specific process.env code patterns
If your Storybook’s manager.js|ts or addons evaluate the expression process.env as an object (i.e. without accessing a static property).
{ ...process.env } // Vulnerable
const env = process.env // Vulnerable
const { MY_VAR } = process.env // Vulnerable
process.env[dynamicValue] // Vulnerable
process.env.MY_VAR // Safe, if MY_VAR is available (see next pattern)Or if they reference any process.env.* variable when that variable is not available to Storybook. Variables are available to Storybook when they are defined in a .env file or by being explicitly set in Storybook’s configuration. They are also available when prefixed with STORYBOOK_, but we are assuming those values are not secret.
If these two conditions are met, then every variable (not just those that are referenced in code) in the .env file is bundled into the built Storybook.
We audited the 100 most popular open source Storybook addons and identified the following which contain code patterns that can trigger this vulnerability when used with affected versions of Storybook:
@chromatic-com/storybook(Visual Tests addon)@storybook/addon-designs@amplitude/storybook-addon-amplitude- This does not actually contain the vulnerable pattern in the source, but its documentation guides people toward referencing environment variables in
manager.js|ts.
- This does not actually contain the vulnerable pattern in the source, but its documentation guides people toward referencing environment variables in
This list is not exhaustive, and other addons or custom manager code may also reference environment variables in ways that exercise the affected code paths.
The vulnerability itself exists in Storybook. These addons are not unsafe on their own and do not need to make changes, as long as users upgrade to a patched version of Storybook.
While we are advising everyone to follow our recommended actions above, this is especially true for projects using these addons.
If your project is built and published with Chromatic, proactive actions have been taken to mitigate exposure. More details in Chromatic’s security advisory.
Thank you to Matt G for the responsible disclosure.