CVE-2023-44487

CVE-2023-44487 – HTTP/2 Rapid Reset DoS Root cause: HTTP/2 stream resets can cause servers to continue processing, leading to unbounded resource consumption and potential DoS when clients rapidly cancel streams. What’s affected: Various HTTP/2 implementations and deployments, including servers, p...

CVE-2022-24112

CVE-2022-24112 affects Apache APISIX. It arises from the batch-requests plugin, where a bug can bypass the Admin API IP restriction, enabling remote code execution. Exploits/PoCs exist for APISIX 2.12.0–2.12.1 demonstrating RCE via admin API path and Lua code injection in routes, with documented ...

CVE-2022-29266

Apache APISIX prior to 3.13.1 is affected by an information-disclosure issue in the jwt-auth plugin. The error message returned by the dependency lua-resty-jwt can leak the user’s secret key, enabling leakage of sensitive credentials. Affected product: Apache APISIX (jwt-auth plugin); vulnerable ...

CVE-2022-25757

CVE-2022-25757 (Apache APISIX) affects APISIX up to version 2.12.x before 2.13.0. When decoding JSON with duplicate keys, lua-cjson returns the last value, allowing an attacker to bypass the body_schema validation in the request-validation plugin (e.g., {"string_payload":"bad","string_payload":"g...

CVE-2020-13945

Apache APISIX 1.2–1.5 are vulnerable when the Admin API is enabled and Admin API access IP restriction rules are removed, allowing the default token to access APISIX management data. The root cause is insufficient protection of credentials leading to unauthorized access. Impact is unauthorized ac...

CVE-2024-32638

This CVE (CVE-2024-32638) concerns Apache APISIX and the forward-auth plugin, where an Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) vulnerability exists. Affected versions are APISIX 3.8.0 and 3.9.0; upgrading to 3.8.1, 3.9.1, or newer mitigates the issue. The vulnerabili...

CVE-2021-43557

CVE-2021-43557 affects Apache APISIX prior to 2.10.2. The issue is in the uri-block plugin, which uses $request_uri (the full original request URI without normalization) without verification, enabling construction of URIs that can bypass the block list (e.g., a block entry like ^/internal/ could ...

CVE-2025-27446

CVE-2025-27446 affects Apache APISIX (java-plugin-runner) from version 0.2.0 through 0.5.0. The root cause is improper permissions on a local listening file, enabling a local attacker to elevate privileges. The issue’s impact is high (local, user-privilege escalation with high confidentiality/int...

CVE-2025-62232

Apache APISIX is affected by a logging-related data exposure (CVE-2025-62232) where basic-auth credentials are written in plaintext to error logs and forwarded to log sinks when the log level is INFO/DEBUG. The issue is caused by logging sensitive data during normal operation, creating a high ris...

CVE-2025-46647

CVE-2025-46647 concerns Apache APISIX openid-connect plugin (introspection mode) where multiple issuers sharing the same private key can allow a user authenticated to one issuer to access another issuer. Public details from multiple sources specify the vulnerability requires: (1) openid-connect p...

CVE-2026-31908

Apache APISIX (forward-auth plugin) is affected by a header injection vulnerability (CVE-2026-31908) tracked across multiple feeds. Affects versions 2.12.0 through 3.15.0; exploitation arises from improper sanitization of CRLF sequences in the forward-auth plugin, enabling injection of HTTP heade...

CVE-2026-31923

CVE-2026-31923 affects Apache APISIX (0.7–3.15.0) due to openid-connect plugin tls_verify/ssl_verify being disabled by default, enabling cleartext transmission of sensitive information. The CVSSv3.1 base score is 7.5 (Network attack, Low attack complexity, no privileges or user interaction, Confi...

CVE-2026-31924

Summary: CVE-2026-31924 affects Apache APISIX due to cleartext transmission of sensitive information in the tencent-cloud-cls log export feature. Affected versions are 2.99.0 through 3.15.0. The issue enables plaintext HTTP exposure for logs/telemetry as described in connected advisories. Impact ...