Storybook Environment Variable Exposure Vulnerability

A vulnerability in Storybook versions 7.0.0 and above, prior to 7.6.21, 8.6.15, 9.1.17, and 10.1.10, allows for the unintended inclusion of environment variables from a .env file into the build artifacts. This issue arises when Storybook is built in a directory containing a .env file with sensitive secrets, and the published version is made available on the web. The vulnerability does not affect Storybook runtime environments or applications that share a repository with the Storybook project.

Impact

Exposing sensitive environment variables from a .env file in the published Storybook, potentially compromising any secrets included in those variables.

Reproduction

To reproduce this vulnerability, create a Storybook project and include a .env file in the project directory with sensitive secrets. Ensure that the Storybook version is 7.0.0 or above. Build the Storybook using the 'storybook build' command, and then publish the built Storybook to the web. The environment variables from the .env file will be bundled into the published Storybook, exposing the secrets to anyone with access.

Remediation

Upgrade Storybook to version 7.6.21, 8.6.15, 9.1.17, or 10.1.10. After upgrading, audit for any sensitive secrets in .env files and rotate those keys. If the project can no longer access necessary environment variable values, prefix the variables with 'STORYBOOK_' or use the 'env' property in Storybook's configuration to manually specify values, excluding sensitive secrets from the built bundle.