Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-fnw8-u5tm-7qfu
Vulnerability ID VCID-fnw8-u5tm-7qfu
Aliases CVE-2022-29172
GHSA-7ww6-75fj-jcj7
Summary Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the “additional signup fields� feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the “additional signup fields� feature in your application. Upgrade to version `11.33.0`.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00207 https://api.first.org/data/v1/epss?cve=CVE-2022-29172
epss 0.00207 https://api.first.org/data/v1/epss?cve=CVE-2022-29172
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-7ww6-75fj-jcj7
cvssv3.1 6.1 https://github.com/auth0/lock
generic_textual MODERATE https://github.com/auth0/lock
cvssv3.1 6.1 https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1
generic_textual MODERATE https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1
ssvc Track https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1
cvssv3.1 6.1 https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7
cvssv3.1_qr MODERATE https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7
generic_textual MODERATE https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7
ssvc Track https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7
cvssv3.1 6.1 https://nvd.nist.gov/vuln/detail/CVE-2022-29172
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2022-29172
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-29172
https://github.com/auth0/lock
https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1
CVE-2022-29172 https://nvd.nist.gov/vuln/detail/CVE-2022-29172
GHSA-7ww6-75fj-jcj7 https://github.com/advisories/GHSA-7ww6-75fj-jcj7
GHSA-7ww6-75fj-jcj7 https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/auth0/lock
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:07:48Z/ Found at https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:07:48Z/ Found at https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-29172
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.43046
EPSS Score 0.00207
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:42:27.381533+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/auth0-lock/CVE-2022-29172.yml 38.6.0