Apisix Security Vulnerabilities and Issues — Apisix CVE List

Lucene search

ApacheApisix

9 matches found

CVE•added 2023/10/10 2:15 p.m.•4414 views

CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

7.5CVSS8AI score0.94434EPSS

CVE•added 2022/02/11 1:15 p.m.•982 views

CVE-2022-24112

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different...

9.8CVSS9.7AI score0.9434EPSS

CVE•added 2022/04/20 8:15 a.m.•584 views

CVE-2022-29266

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information.

7.5CVSS7.5AI score0.35102EPSS

CVE•added 2022/03/28 7:15 a.m.•109 views

CVE-2022-25757

In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, {"string_payload":"bad","str...

9.8CVSS9.5AI score0.00402EPSS

CVE•added 2024/05/02 10:15 a.m.•104 views

CVE-2024-32638

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using forward-auth plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0. Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue.

6.3CVSS6.4AI score0.00174EPSS

CVE•added 2020/12/07 8:15 p.m.•89 views

CVE-2020-13945

In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5.

6.5CVSS6.5AI score0.94177EPSS

CVE•added 2021/11/22 9:15 a.m.•61 views

CVE-2021-43557

The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block list contains "^/in...

7.5CVSS7.3AI score0.35995EPSS

CVE•added 2025/07/06 6:15 a.m.•15 views

CVE-2025-27446

Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner). Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges.This issue affects Apache APISIX(java-plugin-runner): from 0.2.0 through 0.5.0. Users are r...

7.8CVSS6.4AI score0.0001EPSS

CVE•added 2025/07/02 12:15 p.m.•11 views

CVE-2025-46647

A vulnerability of plugin openid-connect in Apache APISIX. This vulnerability will only have an impact if all of the following conditions are met: Use the openid-connect plugin with introspection mode The auth service connected to openid-connect provides services to multiple issuers Multiple issuer...

5.3CVSS7.2AI score0.00044EPSS