Skip to content

Potential Cross-site Scripting vulnerability in Hydrogen

Moderate severity GitHub Reviewed Published May 14, 2022 in Shopify/hydrogen-v1 • Updated Jan 27, 2023

Package

npm @shopify/hydrogen (npm)

Affected versions

>= 0.10.0, < 0.19.0

Patched versions

0.19.0

Description

Impact

There is a potential Cross-Site Scripting (XSS) vulnerability where an arbitrary user is able to execute scripts on pages that are built with Hydrogen. This affects all versions of Hydrogen starting from version 0.10.0 to 0.18.0. This vulnerability is exploitable in applications whose hydrating data is user controlled.

Patches

All Hydrogen users should upgrade their project to v0.19.0.

Workarounds

There is no current workaround, and users should update as soon as possible.

Additionally, the Content Security Policy is not an effective mitigation for this vulnerability.

References

GitHub: Hydrogen v0.19.0
Fix PR: Shopify/hydrogen#1272

For more information

If you have any questions or comments about this advisory:

References

@itsgarcia itsgarcia published to Shopify/hydrogen-v1 May 14, 2022
Published by the National Vulnerability Database May 18, 2022
Published to the GitHub Advisory Database May 19, 2022
Reviewed May 19, 2022
Last updated Jan 27, 2023

Severity

Moderate
6.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Weaknesses

CVE ID

CVE-2022-29230

GHSA ID

GHSA-6j22-wv8g-894f

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.