CVE-2022-29230 - Vulnerability Details - OpenCVE

Hydrogen is a React-based framework for building dynamic, Shopify-powered custom storefronts. There is a potential Cross-Site Scripting (XSS) vulnerability where an arbitrary user is able to execute scripts on pages that are built with Hydrogen. This affects all versions of Hydrogen starting from version 0.10.0 to 0.18.0. This vulnerability is exploitable in applications whose hydrating data is user controlled. All Hydrogen users should upgrade their project to version 0.19.0. There is no current workaround, and users should update as soon as possible. Additionally, the Content Security Policy is not an effective mitigation for this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Shopify	Hydrogen

Configuration 1 [-]

cpe:2.3:a:shopify:hydrogen:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/Shopify/hydrogen/pull/1272
https://github.com/Shopify/hydrogen/releases/tag/%40shopify/hydrogen%400.19.0
https://github.com/Shopify/hydrogen/security/advisories/GHSA-6j22-wv8g-894f

History

Sat, 12 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00114}`	epss `{'score': 0.00256}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-05-18T20:30:13.000Z

Updated: 2025-04-23T18:25:24.537Z

Reserved: 2022-04-13T00:00:00.000Z

Link: CVE-2022-29230

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-05-18T21:15:07.823

Modified: 2024-11-21T06:58:46.093

Link: CVE-2022-29230

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "hydrogen", "vendor": "Shopify", "versions": [{"status": "affected", "version": ">= 0.10.0, <= 0.18.0"}]}], "descriptions": [{"lang": "en", "value": "Hydrogen is a React-based framework for building dynamic, Shopify-powered custom storefronts. There is a potential Cross-Site Scripting (XSS) vulnerability where an arbitrary user is able to execute scripts on pages that are built with Hydrogen. This affects all versions of Hydrogen starting from version 0.10.0 to 0.18.0. This vulnerability is exploitable in applications whose hydrating data is user controlled. All Hydrogen users should upgrade their project to version 0.19.0. There is no current workaround, and users should update as soon as possible. Additionally, the Content Security Policy is not an effective mitigation for this vulnerability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-18T20:30:13.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Shopify/hydrogen/security/advisories/GHSA-6j22-wv8g-894f"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Shopify/hydrogen/pull/1272"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Shopify/hydrogen/releases/tag/%40shopify/hydrogen%400.19.0"}], "source": {"advisory": "GHSA-6j22-wv8g-894f", "discovery": "UNKNOWN"}, "title": "Potential cross-site scripting (XSS) vulnerability in Hydrogen", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-29230", "STATE": "PUBLIC", "TITLE": "Potential cross-site scripting (XSS) vulnerability in Hydrogen"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "hydrogen", "version": {"version_data": [{"version_value": ">= 0.10.0, <= 0.18.0"}]}}]}, "vendor_name": "Shopify"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Hydrogen is a React-based framework for building dynamic, Shopify-powered custom storefronts. There is a potential Cross-Site Scripting (XSS) vulnerability where an arbitrary user is able to execute scripts on pages that are built with Hydrogen. This affects all versions of Hydrogen starting from version 0.10.0 to 0.18.0. This vulnerability is exploitable in applications whose hydrating data is user controlled. All Hydrogen users should upgrade their project to version 0.19.0. There is no current workaround, and users should update as soon as possible. Additionally, the Content Security Policy is not an effective mitigation for this vulnerability."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Shopify/hydrogen/security/advisories/GHSA-6j22-wv8g-894f", "refsource": "CONFIRM", "url": "https://github.com/Shopify/hydrogen/security/advisories/GHSA-6j22-wv8g-894f"}, {"name": "https://github.com/Shopify/hydrogen/pull/1272", "refsource": "MISC", "url": "https://github.com/Shopify/hydrogen/pull/1272"}, {"name": "https://github.com/Shopify/hydrogen/releases/tag/%40shopify/hydrogen%400.19.0", "refsource": "MISC", "url": "https://github.com/Shopify/hydrogen/releases/tag/%40shopify/hydrogen%400.19.0"}]}, "source": {"advisory": "GHSA-6j22-wv8g-894f", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:17:54.175Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Shopify/hydrogen/security/advisories/GHSA-6j22-wv8g-894f"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Shopify/hydrogen/pull/1272"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Shopify/hydrogen/releases/tag/%40shopify/hydrogen%400.19.0"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T14:07:28.385212Z", "id": "CVE-2022-29230", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T18:25:24.537Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-29230", "datePublished": "2022-05-18T20:30:13.000Z", "dateReserved": "2022-04-13T00:00:00.000Z", "dateUpdated": "2025-04-23T18:25:24.537Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shopify:hydrogen:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "17B85941-2E8A-464A-B36A-D690068208CA", "versionEndExcluding": "0.19.0", "versionStartIncluding": "0.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Hydrogen is a React-based framework for building dynamic, Shopify-powered custom storefronts. There is a potential Cross-Site Scripting (XSS) vulnerability where an arbitrary user is able to execute scripts on pages that are built with Hydrogen. This affects all versions of Hydrogen starting from version 0.10.0 to 0.18.0. This vulnerability is exploitable in applications whose hydrating data is user controlled. All Hydrogen users should upgrade their project to version 0.19.0. There is no current workaround, and users should update as soon as possible. Additionally, the Content Security Policy is not an effective mitigation for this vulnerability."}, {"lang": "es", "value": "Hydrogen es un marco de trabajo basado en React para la construcci\u00f3n de escaparates personalizados din\u00e1micos impulsados por Shopify. Se presenta una potencial vulnerabilidad de tipo Cross-Site Scripting (XSS) donde un usuario arbitrario es capaz de ejecutar scripts en p\u00e1ginas que son construidas con Hydrogen. Esto afecta a todas las versiones de Hydrogen desde versi\u00f3n 0.10.0 hasta 0.18.0. Esta vulnerabilidad es explotable en aplicaciones cuyos datos de hidrataci\u00f3n son controlados por el usuario. Todos los usuarios de Hydrogen deber\u00edan actualizar sus proyectos a versi\u00f3n 0.19.0. No se presenta una medida de mitigaci\u00f3n actual, y los usuarios deber\u00edan actualizar lo antes posible. Adem\u00e1s, la Pol\u00edtica de Seguridad de Contenidos no es una mitigaci\u00f3n efectiva para esta vulnerabilidad"}], "id": "CVE-2022-29230", "lastModified": "2024-11-21T06:58:46.093", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-18T21:15:07.823", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/Shopify/hydrogen/pull/1272"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Shopify/hydrogen/releases/tag/%40shopify/hydrogen%400.19.0"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/Shopify/hydrogen/security/advisories/GHSA-6j22-wv8g-894f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/Shopify/hydrogen/pull/1272"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Shopify/hydrogen/releases/tag/%40shopify/hydrogen%400.19.0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/Shopify/hydrogen/security/advisories/GHSA-6j22-wv8g-894f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}