Login Sign Up

CVE-2024-32638

6.3 MEDIUM
Authentication Bypass

📋 TL;DR

This CVE describes an HTTP request smuggling vulnerability in Apache APISIX when using the forward-auth plugin. Attackers can exploit inconsistent HTTP request parsing to bypass security controls, poison caches, or hijack user sessions. Affected users are those running Apache APISIX versions 3.8.0, 3.9.0 with the forward-auth plugin enabled.

💻 Affected Systems

Products:
  • Apache APISIX
Versions: 3.8.0, 3.9.0
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when forward-auth plugin is enabled and configured.

📦 What is this software?

Apisix by Apache

View all CVEs affecting Apisix →

Apisix by Apache

View all CVEs affecting Apisix →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass authentication entirely, poison proxy caches with malicious content, hijack user sessions, or perform cache poisoning attacks against downstream systems.

🟠

Likely Case

Attackers bypass security controls implemented via forward-auth, potentially gaining unauthorized access to protected resources or services.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to potential cache poisoning or minor security control bypass.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

HTTP request smuggling requires understanding of HTTP protocol inconsistencies and specific plugin behavior.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.8.1, 3.9.1 or higher

Vendor Advisory: https://lists.apache.org/thread/ngvgxllw4zn4hgngkqw2o225kf9wotov

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Stop APISIX service. 3. Upgrade to version 3.8.1, 3.9.1 or higher. 4. Restart APISIX service. 5. Verify functionality.

🔧 Temporary Workarounds

Disable forward-auth plugin

all

Temporarily disable the vulnerable forward-auth plugin until patching is possible.

apisix stop
Edit APISIX configuration to remove or disable forward-auth plugin
apisix start

🧯 If You Can't Patch

  • Implement WAF with HTTP request smuggling protection
  • Monitor for unusual HTTP traffic patterns and implement rate limiting

🔍 How to Verify

Check if Vulnerable:

Check APISIX version and verify forward-auth plugin is enabled: apisix version && check configuration files for forward-auth plugin.

Check Version:

apisix version

Verify Fix Applied:

Verify APISIX version is 3.8.1, 3.9.1 or higher: apisix version

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP request patterns
  • Multiple requests with same connection
  • Requests with conflicting Content-Length and Transfer-Encoding headers

Network Indicators:

  • HTTP requests with malformed headers
  • Unexpected request smuggling patterns

SIEM Query:

source="apisix" AND (http_request_smuggling OR transfer_encoding OR content_length)

📊 Metadata

CVE ID: CVE-2024-32638
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-444
Published: May 2, 2024
Last Updated: July 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-32638, you might also want to check these:

CVE-2022-22536 10.0

CVE-2022-22536 is a critical HTTP request smuggling vulnerability in multiple SAP components that al...

Same vulnerability type (CWE-444)
CVE-2025-55315 9.9

CVE-2025-55315 is an HTTP request smuggling vulnerability in ASP.NET Core that allows an authenticat...

Same vulnerability type (CWE-444)
CVE-2023-29141 9.8

This vulnerability in MediaWiki allows attackers to trigger automatic IP blocking by manipulating th...

Same vulnerability type (CWE-444)