cvedb.io
CVE-2022-29230
MEDIUM · CVSS 6.3
EPSS exploitation probability: 0%
Published 2022-05-18T21:15:07.823 · Last modified 2026-06-17T04:39:52.793

Summary

Hydrogen is a React-based framework for building dynamic, Shopify-powered custom storefronts. There is a potential Cross-Site Scripting (XSS) vulnerability where an arbitrary user is able to execute scripts on pages that are built with Hydrogen. This affects all versions of Hydrogen starting from version 0.10.0 to 0.18.0. This vulnerability is exploitable in applications whose hydrating data is user controlled. All Hydrogen users should upgrade their project to version 0.19.0. There is no current workaround, and users should update as soon as possible. Additionally, the Content Security Policy is not an effective mitigation for this vulnerability.

Affected products

shopify — hydrogen

Does this affect you?

Add your gear to cvedb and we'll alert you only when shopify ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.