CVE-2022-24112

apisix/batch-requests plugin allows overwriting the X-REAL-IP header

Basic Information

CVE State: PUBLISHED
Reserved Date: January 28, 2022
Published Date: February 11, 2022
Last Updated: January 29, 2025
Vendor: Apache Software Foundation
Product: Apache APISIX
Description: An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2022-08-25 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2022-03-17 08:22:54 UTC) Source

References

https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94 http://www.openwall.com/lists/oss-security/2022/02/11/3 http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html

Known Exploited Vulnerability Information

Source	Added Date
CISA	2022-08-25 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_apisix_api_default_token_rce.rb	2025-04-29 11:01:20 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-24112.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

apache_apisix_api_default_token_rce

Type: metasploit • Created: Unknown

Metasploit module for CVE-2022-24112

Acczdy/CVE-2022-24112_POC

Type: github • Created: 2022-12-03 14:31:28 UTC • Stars: 5

CVE-2022-24112_POC

kavishkagihan/CVE-2022-24112-POC

Type: github • Created: 2022-03-17 08:22:54 UTC • Stars: 2

Apache APISIX 2.12.1 Remote Code Execution by IP restriction bypass and using default admin AIP token

M4xSec/Apache-APISIX-CVE-2022-24112

Type: github • Created: 2022-03-16 09:19:12 UTC • Stars: 12

Apache APISIX Remote Code Execution (CVE-2022-24112) proof of concept exploit

Mah1ndra/CVE-2022-24112

Type: github • Created: 2022-03-08 17:08:52 UTC • Stars: 7

CVE-2022-24112: Apache APISIX Remote Code Execution Vulnerability

Axx8/CVE-2022-24112

Type: github • Created: 2022-02-25 15:17:28 UTC • Stars: 8

Apache APISIX batch-requests RCE(CVE-2022-24112)

Mr-xn/CVE-2022-24112

Type: github • Created: 2022-02-22 14:09:49 UTC • Stars: 44

CVE-2022-24112：Apache APISIX apisix/batch-requests RCE