Skip to content

Update dependency storybook to v8.6.17 [SECURITY]#27352

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-storybook-vulnerability
Open

Update dependency storybook to v8.6.17 [SECURITY]#27352
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-storybook-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Apr 12, 2026

This PR contains the following updates:

Package Change Age Confidence
storybook (source) 8.6.158.6.17 age confidence

GitHub Vulnerability Alerts

CVE-2026-27148

Summary

The WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted.

Details

Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction.

If a Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly.

The vulnerability affects the WebSocket message handlers for creating and saving stories, which can be exploited via unauthorized WebSocket connections to achieve persistent XSS or Remote Code Execution (RCE).

Note: recent versions of Chrome have some protections against this, but Firefox does not.

Impact

This vulnerability can lead to supply chain compromise. Key risks include:

  • Remote Code Execution: The vulnerability can allow attackers to execute malicious code, with the extent of impact depending on the configuration. Server-side RCE is possible in non-default configurations, such as when stories are executed via portable stories in JSDOM, potentially allowing attackers to exfiltrate credentials and environment variables, access source code and the filesystem, establish backdoors, or pivot to internal network resources.
  • Persistent XSS: Malicious payloads are written directly into story source files. If the malicious payload is committed to version control, it becomes part of the codebase and can propagate to deployed Storybook documentation sites, affecting developers and stakeholders who view them.
  • Supply Chain Propagation: If the modified source files are committed, injected code can spread to other team members via git, execute in CI/CD pipelines, and affect shared component libraries used across multiple projects.

Affected versions

8.1 and above. While the exploitable functionality was introduced in 8.1, the patch has been applied to 7.x as a precautionary measure given the underlying WebSocket behaviour.

Recommended actions

Update to one of the patched versions: 7.6.23, 8.6.17, 9.1.19, 10.2.10.

Release Notes

storybookjs/storybook (storybook)

v8.6.17

Compare Source

8.6.17

  • Harden websocket connection

v8.6.16

Compare Source

8.6.16

  • No-op release. No changes.

Configuration

📅 Schedule: (in timezone Etc/UTC)

  • Branch creation
    • ""
  • Automerge
    • Only on Sunday and Saturday (* * * * 0,6)
    • Between 12:00 AM and 12:59 PM, only on Monday (* 0-12 * * 1)
    • Between 10:00 PM and 11:59 PM, Monday through Friday (* 22-23 * * 1-5)
    • Between 12:00 AM and 04:59 AM, Tuesday through Saturday (* 0-4 * * 2-6)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions github-actions bot added the dependencies Pull requests that update a dependency file label Apr 12, 2026
@renovate renovate bot force-pushed the renovate/npm-storybook-vulnerability branch from 475e362 to 93c3366 Compare April 12, 2026 07:11
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Apr 12, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 12, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.45%. Comparing base (016544f) to head (93c3366).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #27352   +/-   ##
=======================================
  Coverage   73.45%   73.45%           
=======================================
  Files        1545     1545           
  Lines      123724   123724           
  Branches    14967    14967           
=======================================
  Hits        90883    90883           
  Misses      31818    31818           
  Partials     1023     1023
Flag Coverage Δ
admin-tests 54.36% <ø> (ø)
e2e-tests 73.45% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants