CVE-2022-24112 in APISIX
Summary
by MITRE • 02/11/2022
An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/30/2025
The vulnerability CVE-2022-24112 represents a critical security flaw in Apache APISIX, a high-performance API gateway that serves as a central point for API management and security enforcement. This vulnerability specifically targets the batch-requests plugin, which is designed to allow multiple API operations to be executed in a single request, but contains a fundamental flaw that undermines the security controls protecting the Admin API. The issue stems from improper handling of client IP addresses within the plugin's validation logic, creating a pathway for unauthorized access that can bypass critical IP restriction mechanisms. The vulnerability is particularly concerning because it can lead to remote code execution when the default API key is used, making it a severe threat to systems that rely on Apache APISIX for API gateway functionality.
The technical implementation of this vulnerability involves a code-level bug in the batch-requests plugin that should have enforced IP address validation but instead allows attackers to manipulate the client IP detection mechanism. This flaw operates through a specific bypass technique where the plugin's attempt to override the client IP with the real remote IP address contains a logical error that can be exploited by malicious actors. The vulnerability manifests when the plugin processes batch requests and fails to properly validate the source IP address, allowing an attacker to craft requests that appear to originate from authorized IP addresses. This represents a classic case of improper input validation and access control enforcement, which aligns with CWE-284 access control weaknesses and specifically relates to the ATT&CK technique T1078 Valid Accounts for privilege escalation and lateral movement. The vulnerability affects systems where the default configuration is used without proper security hardening, particularly when the admin key remains unchanged and the Admin API port is accessible through the data panel.
The operational impact of CVE-2022-24112 extends beyond simple IP restriction bypass, as it can potentially lead to complete system compromise when default credentials are in use. Organizations running Apache APISIX with default configurations face significant risk of unauthorized access to the Admin API, which could enable attackers to modify API configurations, add malicious routes, or even execute arbitrary code on the system. Even when administrators have changed the admin key or moved the Admin API to a different port, the vulnerability still presents a risk for bypassing IP restrictions on the data panel, which can serve as an entry point for further attacks. The vulnerability's exploitability is enhanced by the fact that it requires minimal privileges to execute, as attackers only need to send specially crafted batch requests to the affected plugin endpoint. This makes it particularly dangerous in environments where the data panel is exposed to untrusted networks or where proper network segmentation has not been implemented.
Mitigation strategies for CVE-2022-24112 should focus on immediate configuration hardening and architectural defenses. Organizations must immediately change default API keys and implement proper network segmentation to isolate the Admin API from general access, ensuring that the Admin API port is not accessible through the data panel interface. The recommended approach includes disabling the batch-requests plugin if it is not required for operations, or implementing proper IP whitelisting for all API endpoints, including those that handle batch operations. Network-level controls should be implemented to restrict access to the Admin API to only trusted IP addresses, and organizations should consider implementing additional authentication mechanisms such as mutual TLS authentication or API key rotation policies. The vulnerability also highlights the importance of regular security audits and penetration testing of API gateway configurations, as well as the need for proper security monitoring to detect anomalous batch request patterns that could indicate exploitation attempts. Organizations should also consider implementing web application firewalls and intrusion detection systems to monitor for the specific attack patterns associated with this vulnerability. The fix for this issue requires updating to Apache APISIX versions that contain the patched batch-requests plugin, with the specific patch addressing the IP validation bypass logic that was present in the vulnerable code.