shopify_app is vulnerable to Authorization Bypass
75
High Risk
In token-exchange authenticated controllers, the current_shopify_domain helper resolves to the sanitized shop query parameter before falling back to the shop identity from the verified Shopify ID token or active session. An attacker holding a valid session token for one shop can send an authenticated request carrying a different shop parameter, causing application code that trusts current_shopify_domain or params[:shop] to operate in the context of the requested shop. This enables cross-shop authorization bypass, allowing access to another shop's data or shop-scoped actions. The fix resolves current_shopify_domain from the authenticated shop, adds authenticated_shopify_domain and requested_shopify_domain helpers, and rejects token-exchange requests with 401 Unauthorized when the requested shop does not match the authenticated shop.
You are affected if you are using a version that falls within the vulnerable range and your application uses token-exchange authentication and relies on current_shopify_domain or the request shop parameter for authorization or shop-scoped data access.
shopify_app is vulnerable to Authorization Bypass in versions 22.1.0 - 23.0.2.
Upgrade the shopify_app library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant