CVE-2022-29230 MEDIUM

CVE-2022-29230: Potential cross-site scripting (XSS) vulnerability in Hydrogen

Vendor Shopify
Product hydrogen
Weakness CWE-79 · XSS
Published May 18, 2022
Last update April 23, 2025
View on NVD All CVEs

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Hydrogen is a React-based framework for building dynamic, Shopify-powered custom storefronts. There is a potential Cross-Site Scripting (XSS) vulnerability where an arbitrary user is able to execute scripts on pages that are built with Hydrogen. This affects all versions of Hydrogen starting from version 0.10.0 to 0.18.0. This vulnerability is exploitable in applications whose hydrating data is user controlled. All Hydrogen users should upgrade their project to version 0.19.0. There is no current workaround, and users should update as soon as possible. Additionally, the Content Security Policy is not an effective mitigation for this vulnerability.

Key dates

02Disclosure timeline

May 18, 2022 CVE published
April 23, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-50339 GLPI vulnerable to unauthenticated session hijacking CVE-2023-3382 SourceCodester Game Result Matrix System GET Parameter save-delegates.php cross site scripting CVE-2026-1444 iJason-Liu Books_Manager add_book_check.php cross site scripting CVE-2025-9722 Portabilis i-Educar educar_tipo_ocorrencia_disciplinar_cad.php cross site scripting CVE-2022-45363 WordPress Betheme premium theme <= 26.6.1 - Auth. Stored Cross-Site Scripting (XSS) vulnerability