Storybook
Monthly
Cross-site WebSocket hijacking leading to persistent XSS and Remote Code Execution affects Storybook's dev server prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10. Because the dev server's story create/save WebSocket handlers fail to validate the connection origin and do not sanitize the componentFilePath field, a malicious website silently injects WebSocket messages into a developer's locally running instance to plant XSS or execute code; publicly exposed dev servers can be hit directly by any unauthenticated attacker. No public exploit identified at time of analysis, and EPSS is low at 0.17% (38th percentile), but the high CVSS 4.0 score of 8.9 and confirmed RCE impact make this a meaningful developer-workstation risk.
Information disclosure in Storybook for Node.js versions 7.0.0 through 10.1.9 exposes environment variables from `.env` files when using `storybook build` command. Unpatched projects building Storybook in directories containing `.env` files risk bundling sensitive credentials into publicly viewable artifacts. Unauthenticated attackers accessing published Storybook bundles can extract secrets from source code. Runtime dev mode, CI builds using platform environment variables, and co-located applications remain unaffected. No public exploit identified at time of analysis.
Cross-site WebSocket hijacking leading to persistent XSS and Remote Code Execution affects Storybook's dev server prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10. Because the dev server's story create/save WebSocket handlers fail to validate the connection origin and do not sanitize the componentFilePath field, a malicious website silently injects WebSocket messages into a developer's locally running instance to plant XSS or execute code; publicly exposed dev servers can be hit directly by any unauthenticated attacker. No public exploit identified at time of analysis, and EPSS is low at 0.17% (38th percentile), but the high CVSS 4.0 score of 8.9 and confirmed RCE impact make this a meaningful developer-workstation risk.
Information disclosure in Storybook for Node.js versions 7.0.0 through 10.1.9 exposes environment variables from `.env` files when using `storybook build` command. Unpatched projects building Storybook in directories containing `.env` files risk bundling sensitive credentials into publicly viewable artifacts. Unauthenticated attackers accessing published Storybook bundles can extract secrets from source code. Runtime dev mode, CI builds using platform environment variables, and co-located applications remain unaffected. No public exploit identified at time of analysis.