CVE-2022-24112
Published: 11 February 2022
Summary
CVE-2022-24112 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Apache Apisix. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
Apache APISIX contains a flaw in its batch-requests plugin that fails to enforce an intended check overriding the client IP with the real remote IP address. This allows an attacker to spoof requests and bypass IP-based access controls on the Admin API. The issue affects default installations that use the built-in API key and expose the Admin API on the same port as the data plane, resulting in a CVSS 9.8 remote code execution vector; changing the admin key or moving the Admin API to a separate port reduces but does not eliminate the risk of IP restriction bypass.
Unauthenticated remote attackers can send crafted batch requests that reach administrative endpoints despite configured IP allow-lists. In the default configuration this leads directly to arbitrary code execution on the gateway; even after key or port changes, an attacker who can reach the data plane can still abuse the same plugin logic to circumvent IP restrictions and perform privileged operations.
Public advisories and exploit disclosures, including the Apache OSS-Security list and multiple Packet Storm entries, highlight that the root cause is an incomplete IP-verification check inside the batch-requests plugin. Recommended mitigations center on disabling the plugin when not required, enforcing a non-default admin key, and ensuring the Admin API listens on a distinct, firewalled port from the data plane.
The CVE maintains an extremely high EPSS score with a recorded peak of 0.9744, indicating sustained exploitation interest following disclosure. Public proof-of-concept code has been available since February 2022.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-29024
Vulnerability details
An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed…
more
or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
- CWE(s)
- KEV Date Added
- 25 August 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces the IP-based access control policy on the Admin API that the batch-requests plugin flaw allows an attacker to bypass.
Implements boundary protection mechanisms that restrict administrative traffic to authorized source addresses, mitigating the remote IP-spoofing vector.
Requires validation of client-supplied data (batch-request headers) so that an attacker cannot override or spoof the real remote IP address used for access decisions.