Login Sign Up

CVE-2025-62232

7.5 HIGH

📋 TL;DR

This vulnerability in Apache APISIX exposes basic authentication credentials (usernames and passwords) in plaintext within error logs when log levels are set to INFO or DEBUG. Any system using APISIX with basic authentication enabled is affected. The exposed credentials could be accessed by anyone with log file access.

💻 Affected Systems

Products:
  • Apache APISIX
Versions: All versions before 3.14
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects configurations using basic authentication with INFO or DEBUG log levels.

📦 What is this software?

Apisix by Apache

View all CVEs affecting Apisix →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to APISIX or backend services by harvesting credentials from logs, leading to complete system compromise.

🟠

Likely Case

Internal users or attackers with log access discover credentials and gain unauthorized access to protected resources.

🟢

If Mitigated

With proper log access controls and monitoring, credential exposure is limited to authorized personnel only.

🌐 Internet-Facing: HIGH - Internet-facing APISIX instances with basic auth expose credentials to anyone who can access logs.
🏢 Internal Only: MEDIUM - Internal systems still risk credential exposure to internal attackers or misconfigured log sinks.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to log files or log sinks where credentials are exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.14

Vendor Advisory: https://lists.apache.org/thread/32hdgh570btfhg02hfc7p7ckf9v83259

Restart Required: Yes

Instructions:

1. Download Apache APISIX version 3.14 or later. 2. Stop the APISIX service. 3. Replace the existing installation with the new version. 4. Restart the APISIX service.

🔧 Temporary Workarounds

Change log level to WARN or higher

all

Set APISIX log level to WARN, ERROR, or FATAL to prevent credential logging.

Edit APISIX configuration file (conf/config.yaml) and set 'log_level: warn' or higher

Disable basic authentication

all

Replace basic authentication with alternative authentication methods that don't expose credentials.

Modify APISIX routes to use JWT, OAuth, or other authentication plugins

🧯 If You Can't Patch

  • Restrict log file access to authorized personnel only using file permissions and access controls.
  • Implement log filtering or redaction to remove sensitive data before storage or transmission.

🔍 How to Verify

Check if Vulnerable:

Check if APISIX version is below 3.14 and basic authentication is enabled with INFO/DEBUG log levels.

Check Version:

apisix version

Verify Fix Applied:

After upgrading to 3.14+, verify that basic auth credentials no longer appear in logs at INFO/DEBUG levels.

📡 Detection & Monitoring

Log Indicators:

  • Plaintext usernames and passwords in APISIX error logs
  • Basic authentication strings in log entries

Network Indicators:

  • Unauthorized access attempts using credentials found in logs

SIEM Query:

source="apisix.log" AND ("Authorization: Basic" OR "username" OR "password")

📊 Metadata

CVE ID: CVE-2025-62232
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-532
EPSS Score: 0.08% exploit probability (24.2th percentile)
Published: October 31, 2025
Last Updated: November 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62232, you might also want to check these:

CVE-2021-32724 9.9

CVE-2021-32724 is a critical vulnerability in the check-spelling GitHub Action that allows attackers...

Same vulnerability type (CWE-532)
CVE-2022-36407 9.9

This vulnerability allows local users to gain sensitive information through insertion of sensitive d...

Same vulnerability type (CWE-532)
CVE-2025-6391 9.8

Brocade ASCG versions before 3.3.0 log JSON Web Tokens (JWT) in plain text within log files. Attacke...

Same vulnerability type (CWE-532)