CVE-2022-25757 – This vulnerability allows attackers to bypass J... (How to Fix)

Q: What is the severity of CVE-2022-25757?

CVE-2022-25757 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to bypass JSON validation in Apache APISIX by submitting requests with duplicate keys in JSON payloads. The validation plugin uses a JSON parser that selects the last duplicate value, while upstream applications might use parsers that select the first value, enabling malicious data to reach backend systems. Affected systems are those running vulnerable APISIX versions with request-validation plugin enabled and upstream applications using specific JSON libraries.

📋 TL;DR

This vulnerability allows attackers to bypass JSON validation in Apache APISIX by submitting requests with duplicate keys in JSON payloads. The validation plugin uses a JSON parser that selects the last duplicate value, while upstream applications might use parsers that select the first value, enabling malicious data to reach backend systems. Affected systems are those running vulnerable APISIX versions with request-validation plugin enabled and upstream applications using specific JSON libraries.

💻 Affected Systems

Products:

Apache APISIX

Versions: Versions before 2.13.0, specifically 2.12.1 and prior

Operating Systems: All operating systems running APISIX

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when: 1) Using body_schema validation in request-validation plugin, 2) Upstream applications use JSON libraries that select first duplicate key (like jsoniter or gojay), 3) Upstream applications don't re-validate input

📦 What is this software?

Apisix by Apache

View all CVEs affecting Apisix →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers bypass all input validation and inject malicious payloads directly into backend systems, potentially leading to remote code execution, data breaches, or complete system compromise.

🟠

Likely Case

Attackers bypass specific validation rules to submit unauthorized or malformed data to backend applications, potentially causing data corruption, privilege escalation, or business logic manipulation.

🟢

If Mitigated

With proper input validation at both APISIX and application layers, the impact is limited to potential parsing inconsistencies between systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting JSON with duplicate keys and knowledge of validation rules. Public proof-of-concept examples exist in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache APISIX 2.13.0 and later

Vendor Advisory: https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Upgrade APISIX to version 2.13.0 or later. 3. Restart APISIX service. 4. Verify upgrade completed successfully.

🔧 Temporary Workarounds

Disable request-validation plugin

all

Temporarily disable the vulnerable request-validation plugin if not essential

apisix stop
Edit APISIX configuration to remove or disable request-validation plugin
apisix start

Implement additional validation layer

all

Add custom validation logic in APISIX to detect duplicate JSON keys

Implement custom plugin or modify existing validation to check for duplicate keys before processing

🧯 If You Can't Patch

Implement strict input validation at upstream application layer to catch duplicate keys
Configure WAF or reverse proxy to filter JSON requests with duplicate keys before reaching APISIX

🔍 How to Verify

Check if Vulnerable:

Check APISIX version with 'apisix version' command and verify if request-validation plugin is enabled in configuration

Check Version:

apisix version

Verify Fix Applied:

After upgrade, test with JSON payload containing duplicate keys to ensure validation catches them

📡 Detection & Monitoring

Log Indicators:

Multiple validation failures for same endpoint
Unusual JSON parsing errors
Requests with malformed JSON structure

Network Indicators:

HTTP requests containing JSON with duplicate keys
Unusual traffic patterns to validation endpoints

SIEM Query:

source="apisix" AND ("validation" OR "json" OR "duplicate") AND status="200"

📊 Metadata

CVE ID: CVE-2022-25757

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: March 28, 2022

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2022/03/28/2 Mailing List,Third Party Advisory
https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/03/28/2 Mailing List,Third Party Advisory
https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25757, you might also want to check these: