CVE-2022-0121 – This CVE describes a cross-site scripting (XSS)... (How to Fix)

Q: What is the severity of CVE-2022-0121?

CVE-2022-0121 has a CVSS score of 8.0 (HIGH). This CVE describes a cross-site scripting (XSS) vulnerability in hoppscotch, an API development tool. Attackers can inject malicious scripts into web pages, potentially stealing user data or performing unauthorized actions. Users of hoppscotch versions before 2.1.1 are affected.

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in hoppscotch, an API development tool. Attackers can inject malicious scripts into web pages, potentially stealing user data or performing unauthorized actions. Users of hoppscotch versions before 2.1.1 are affected.

💻 Affected Systems

Products:

hoppscotch/hoppscotch

Versions: All versions before 2.1.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: This is a web application vulnerability, not OS-specific. Affects all deployments of vulnerable hoppscotch versions.

📦 What is this software?

Hoppscotch by Hoppscotch

View all CVEs affecting Hoppscotch →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, session hijacking, credential theft, and unauthorized API requests on behalf of authenticated users.

🟠

Likely Case

Session hijacking, credential theft, and unauthorized API requests through malicious script execution.

🟢

If Mitigated

Limited impact with proper input validation and output encoding; potential for minor data exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities are commonly exploited with readily available tools and techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.1

Vendor Advisory: https://github.com/hoppscotch/hoppscotch/commit/86ef1a4e143ea5bb0c7b309574127cc39d4faa74

Restart Required: Yes

Instructions:

1. Update hoppscotch to version 2.1.1 or later. 2. Restart the hoppscotch service/application. 3. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and output encoding for user-supplied data.

Content Security Policy (CSP)

all

Deploy a strict CSP header to mitigate XSS impact.

🧯 If You Can't Patch

Isolate the hoppscotch instance from sensitive networks and data.
Implement web application firewall (WAF) rules to block XSS payloads.

🔍 How to Verify

Check if Vulnerable:

Check the hoppscotch version; if it's below 2.1.1, it's vulnerable.

Check Version:

Check the application interface or deployment configuration for version information.

Verify Fix Applied:

Confirm the hoppscotch version is 2.1.1 or later and test for XSS payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual script tags or JavaScript payloads in request logs
Multiple failed login attempts or session anomalies

Network Indicators:

Suspicious outbound connections to unknown domains
Unexpected data exfiltration patterns

SIEM Query:

Search for patterns like '<script>', 'javascript:', or encoded payloads in web request logs.

📊 Metadata

CVE ID: CVE-2022-0121

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-79

Published: January 6, 2022

Last Updated: February 24, 2026

🔗 References

https://github.com/hoppscotch/hoppscotch/commit/86ef1a4e143ea5bb0c7b309574127cc39d4faa74 Patch,Third Party Advisory
https://huntr.dev/bounties/b70a6191-8226-4ac6-b817-cae7332a68ee Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/hoppscotch/hoppscotch/commit/86ef1a4e143ea5bb0c7b309574127cc39d4faa74 Patch,Third Party Advisory
https://huntr.dev/bounties/b70a6191-8226-4ac6-b817-cae7332a68ee Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0121, you might also want to check these: