Vulnerability DatabaseCVE-2022-29230

CVE-2022-29230:
JavaScript vulnerability analysis and mitigation

Overview

A Cross-Site Scripting (XSS) vulnerability was identified in Shopify's Hydrogen framework, tracked as CVE-2022-29230. The vulnerability affects Hydrogen versions from 0.10.0 to 0.18.0, which is a React-based framework used for creating custom Shopify storefronts. The issue was discovered and disclosed in May 2022, where an arbitrary user could potentially execute scripts on pages built with the framework (SOCRadar).

Technical details

The vulnerability has been assigned a CVSS score of 5.4, indicating a medium severity level. The issue stems from insufficient input validation where an arbitrary user could execute scripts on pages that are built with the Hydrogen framework. This cross-site scripting vulnerability specifically affects the framework's handling of user-controlled pages (FortiGuard).

Impact

The vulnerability could allow attackers to execute arbitrary scripts in the context of affected Shopify storefronts built with Hydrogen. This could potentially lead to theft of sensitive information, session hijacking, or other malicious actions typically associated with XSS attacks (SOCRadar).

Mitigation and workarounds

The recommended mitigation is to upgrade to Hydrogen version 0.19.0 or later, which contains the fix for this vulnerability. No alternative workarounds have been publicly documented (SOCRadar).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer? See which CVEs are exploitable in your environment.

Get a CVE Assessment

5.4

Score

Published May 18, 2022

Severity MEDIUM

CNA Score 6.3

Affected Technologies

JavaScript
NixOS

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 53.4

Exploitation Probability (EPSS) 0.3

Affected packages and libraries

hydrogen
@shopify/hydrogen

Sources

NVD
GitHub Advisory Database
- npm Severity MEDIUMHas FixAdded at: May 20, 2022
Homebrew
- Homebrew Severity MEDIUMHas FixAdded at: Feb 12, 2024
Nix
- Nix Severity MEDIUMHas FixAdded at: Nov 01, 2023

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related JavaScript vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-55182	CRITICAL	10	JavaScript	react	No	Yes	Dec 03, 2025
CVE-2025-66401	CRITICAL	9.8	JavaScript	mcp-watch	No	No	Dec 01, 2025
CVE-2025-66412	HIGH	8.5	JavaScript	@angular/compiler	No	Yes	Dec 01, 2025
CVE-2025-66415	MEDIUM	6.9	JavaScript	@fastify/reply-from	No	Yes	Dec 01, 2025
CVE-2025-66405	MEDIUM	6.9	JavaScript	@portkey-ai/gateway	No	Yes	Dec 01, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2022-29230: JavaScript vulnerability analysis and mitigation