CVE-2025-68429

Storybook is a frontend workshop for building user interface components and pages in isolation. A vulnerability present starting in versions 7.0.0 and prior to versions 7.6.21, 8.6.15, 9.1.17, and 10.1.10 relates to Storybook’s handling of environment variables defined in a .env file, which could, in specific circumstances, lead to those variables being unexpectedly bundled into the artifacts created by the storybook build command. When a built Storybook is published to the web, the bundle’s source is viewable, thus potentially exposing those variables to anyone with access. For a project to potentially be vulnerable to this issue, it must build the Storybook (i.e. run storybook build directly or indirectly) in a directory that contains a .env file (including variants like .env.local) and publish the built Storybook to the web. Storybooks built without a .env file at build time are not affected, including common CI-based builds where secrets are provided via platform en