The Wire · Showcase
SHOPIFY CLI PATCHES DNS REBINDING HOLE IN THEME DEV
By RepoJournal · Filed · About Shopify
A critical security vulnerability in theme dev could let malicious sites steal data through DNS rebinding attacks, and Shopify shipped the fix overnight.
The CLI now maintains a strict allowlist of localhost variants (localhost, 127.0.0.1, ::1, 0.0.0.0) and validates every incoming request against it [1], closing a hole that could expose developer data when running theme dev alongside untrusted browser tabs. On the reliability front, E2E cleanup got overhauled to handle the dashboard failures that were leaving orphaned apps behind [2], with per-app retry logic and safer name parsing that should eliminate the stale pagination cursor problems teams hit during bulk discovery. Analytics metadata for app and theme commands was getting lost after the bundled CLI switched to dual module graphs [3], which broke observability on those commands and got fixed to properly thread metadata through the build. The CLI also extended ExtensionInstance.deployConfig to surface app configuration data to extensions like Flow actions [4], unblocking downstream work that needs access to application URLs and settings.
Action items
- → Update Shopify CLI immediately - DNS rebinding vulnerability in theme dev Shopify/cli [immediate]
- → Monitor Hydrogen preview release - new build step added to check workflow Shopify/hydrogen [plan]
- → Verify Hydrogen setup has vite installed before running CLI commands Shopify/hydrogen [plan]
References
- [1] create allowlist for localhost variants and validate host on requests ↗ Shopify/cli
- [2] Fix E2E cleanup ↗ Shopify/cli
- [3] Fix analytics metadata for app/theme ↗ Shopify/cli
- [4] [Feature] Extend ExtensionInstance.deployConfig to include app config info ↗ Shopify/cli
- [5] Show actionable error when vite is missing in Hydrogen CLI ↗ Shopify/hydrogen
FAQ
- What changed in Shopify on June 12, 2026?
- A critical security vulnerability in theme dev could let malicious sites steal data through DNS rebinding attacks, and Shopify shipped the fix overnight.
- What should Shopify teams do about it?
- Update Shopify CLI immediately - DNS rebinding vulnerability in theme dev • Monitor Hydrogen preview release - new build step added to check workflow • Verify Hydrogen setup has vite installed before running CLI commands
- Which Shopify repositories shipped on June 12, 2026?
- Shopify/cli, Shopify/hydrogen