CRITICAL🚩 CISA KEV⚑ EXPLOITπŸ‡΅πŸ‡± Wersja polska

CVE-2022-24112

CVSS 9.8v3.1pub. 2022-02-11upd. 2025-10-23

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Apisix

    APP
    Apache
    < 2.10.42.11.0 – 2.12.1 (bez)

CISA KEV β€” detailsi

Vendori
Apache β†—
Producti
APISIX
Added to KEVi
August 25, 2022
Remediation deadline (US Federal)i
September 15, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Apache APISIX contains an authentication bypass vulnerability that allows for remote code execution.

πŸ”΄
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
⏰CISA DEADLINE: 15 wrzeΕ›nia 2022
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-31908CRITICAL9.1PL βœ“ten sam produkt

Header injection w pluginie forward-auth Apache APISIX

CVE-2022-25757CRITICAL9.8ten sam produkt

In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurre...

CVE-2026-39999HIGH7.0ten sam produkt

Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authenti...

CVE-2026-31923HIGH7.5ten sam produkt

Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due to `ssl_ve...

CVE-2025-62232HIGH7.5ten sam produkt

Sensitive data exposure via logging in basic-auth leads to plaintext usernames and passwords written to error ...

CVE-2022-24112 β€” Apache β€” Apisix β€” CRITICAL β€” CVSS 9.8 | CVEbaza.pl