Storybook security advisory

On December 11th, the Storybook team received a responsible disclosure reporting a potential vulnerability in Storybook 7.0 and above affecting certain Storybook builds, including some that may be hosted on Chromatic.

The Chromatic application itself was not compromised, however Storybooks published to Chromatic may contain exposed secrets.

Who is impacted?

Our investigation determined that running storybook build in a directory that also contains an .env file could, under certain conditions, cause the contents of the .env file to be bundled into the built Storybook’s JavaScript bundle. The chromatic CLI runs storybook build as part of the publishing process.

Storybooks published on Chromatic may be impacted by this vulnerability if they meet the conditions outlined here.

Preventative measures

There’s a greater exposure risk for Storybooks whose visibility is set to public because they do not require authentication to view. Out of an abundance of caution, we proactively changed the visibility of all public Storybooks published on Chromatic to private.

After reviewing and completing the recommended actions, you can reset your Storybook visibility to public.

Recommended actions

We recommend that Chromatic users take the following actions:

• Audit your .env files for sensitive secrets
• Rotate secret keys in .env files where you’ve run storybook build or chromatic, regardless of whether they meet the exact criteria for potential exposure.
• Update Storybook to the latest patch version for your major version
  • 10.1.10+
  • 9.1.17+
  • 8.6.15+
  • 7.6.21+

For any questions or clarifications, please contact us at support@chromatic.com or by using the support chat form in the Chromatic web application.