CVE-2022-24112 – CVE-2022-24112 is a critical authentication byp... (How to Fix)

Q: What is the severity of CVE-2022-24112?

CVE-2022-24112 has a CVSS score of 9.8 (CRITICAL). CVE-2022-24112 is a critical authentication bypass vulnerability in Apache APISIX's batch-requests plugin that allows attackers to bypass IP restrictions and execute remote code. Organizations running default configurations of Apache APISIX are affected. The vulnerability enables attackers to send malicious requests to the Admin API even when IP restrictions are configured.

📋 TL;DR

CVE-2022-24112 is a critical authentication bypass vulnerability in Apache APISIX's batch-requests plugin that allows attackers to bypass IP restrictions and execute remote code. Organizations running default configurations of Apache APISIX are affected. The vulnerability enables attackers to send malicious requests to the Admin API even when IP restrictions are configured.

💻 Affected Systems

Products:

Apache APISIX

Versions: Apache APISIX 2.12.1 and earlier

Operating Systems: All platforms running Apache APISIX

Default Config Vulnerable: ⚠️ Yes

Notes: Default API key configurations are most vulnerable. Changing admin keys or using separate ports reduces but doesn't eliminate risk.

📦 What is this software?

Apisix by Apache

View all CVEs affecting Apisix →

Apisix by Apache

View all CVEs affecting Apisix →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with administrative privileges leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Unauthorized access to Admin API allowing configuration changes, route manipulation, and potential privilege escalation to RCE.

🟢

If Mitigated

Limited impact if Admin API uses non-default keys and separate ports from data panel, though IP bypass risk remains.

🌐 Internet-Facing: HIGH - Default configurations are vulnerable to remote exploitation without authentication.

🏢 Internal Only: HIGH - Internal systems remain vulnerable to authenticated attackers or those who gain initial access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit scripts available. Attack requires network access to APISIX instance.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache APISIX 2.13.0

Vendor Advisory: https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94

Restart Required: Yes

Instructions:

1. Upgrade to Apache APISIX 2.13.0 or later. 2. Restart all APISIX services. 3. Verify the batch-requests plugin is properly configured.

🔧 Temporary Workarounds

Disable batch-requests plugin

all

Remove or disable the vulnerable batch-requests plugin if not required

Edit APISIX configuration to remove batch-requests from plugins list

Restrict Admin API access

all

Apply strict network-level restrictions to Admin API endpoints

Use firewall rules to restrict Admin API port access to trusted IPs only

🧯 If You Can't Patch

Change default admin API keys to strong, unique values
Configure Admin API to run on separate port from data panel with strict IP whitelisting

🔍 How to Verify

Check if Vulnerable:

Check APISIX version: if running 2.12.1 or earlier with batch-requests plugin enabled, system is vulnerable.

Check Version:

apisix version

Verify Fix Applied:

Verify APISIX version is 2.13.0 or later and test batch-requests plugin functionality with IP restriction bypass attempts.

📡 Detection & Monitoring

Log Indicators:

Unusual batch requests to Admin API endpoints
Requests from unexpected IPs to restricted endpoints
Configuration changes via Admin API from unauthorized sources

Network Indicators:

HTTP requests containing X-Real-IP or X-Forwarded-For headers with batch-requests plugin calls
Traffic to Admin API port from external IPs

SIEM Query:

source="apisix" AND (uri="/apisix/admin" OR uri="/apisix/batch-requests") AND NOT src_ip IN [trusted_ip_list]

📊 Metadata

CVE ID: CVE-2022-24112

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-290

Published: February 11, 2022

Last Updated: October 23, 2025

🔗 References

http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
http://www.openwall.com/lists/oss-security/2022/02/11/3 Mailing List,Mitigation,Third Party Advisory
https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94 Mailing List,Mitigation,Vendor Advisory
http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
http://www.openwall.com/lists/oss-security/2022/02/11/3 Mailing List,Mitigation,Third Party Advisory
https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94 Mailing List,Mitigation,Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24112 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24112, you might also want to check these: