Potential cross-site scripting (XSS) vulnerability in Hydrogen
Description
Hydrogen is a React-based framework for building dynamic, Shopify-powered custom storefronts. There is a potential Cross-Site Scripting (XSS) vulnerability where an arbitrary user is able to execute scripts on pages that are built with Hydrogen. This affects all versions of Hydrogen starting from version 0.10.0 to 0.18.0. This vulnerability is exploitable in applications whose hydrating data is user controlled. All Hydrogen users should upgrade their project to version 0.19.0. There is no current workaround, and users should update as soon as possible. Additionally, the Content Security Policy is not an effective mitigation for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@shopify/hydrogennpm | >= 0.10.0, < 0.19.0 | 0.19.0 |
Affected products
2Patches
Vulnerability mechanics
Root cause
"User-controlled hydrating data is injected into the DOM without sanitization, enabling Cross-Site Scripting (XSS)."
Attack vector
An attacker supplies malicious JavaScript within data that is used during client-side hydration of a Hydrogen page. When the application renders this user-controlled data, the script executes in the context of the victim's browser. The vulnerability is reachable over the network without authentication, as long as the application passes unsanitized user input into hydration data. The advisory notes that Content Security Policy is not an effective mitigation [patch_id=1641619].
Affected code
The vulnerability exists in the client-side hydration mechanism of Hydrogen framework versions 0.10.0 through 0.18.0. The patch [patch_id=1641619] modifies the code path where hydration data is rendered into the DOM. The advisory does not specify exact file paths or function names.
What the fix does
The patch [patch_id=1641619] introduces sanitization or escaping of hydration data before it is injected into the page. By ensuring that user-controlled values are properly encoded, the framework prevents arbitrary script execution during the hydration process. This closes the XSS vector by treating all hydration data as untrusted and applying output encoding.
Preconditions
- inputThe application must pass user-controlled data into the hydration payload.
- networkThe attacker must be able to supply malicious input to the application over the network.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-6j22-wv8g-894fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-29230ghsaADVISORY
- github.com/Shopify/hydrogen/pull/1272ghsax_refsource_MISCWEB
- github.com/Shopify/hydrogen/releases/tag/%40shopify/hydrogen%400.19.0ghsax_refsource_MISCWEB
- github.com/Shopify/hydrogen/security/advisories/GHSA-6j22-wv8g-894fghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.