CVE-2022-24112

What is Apache APISIX?

Apache APISIX is a high-performance, cloud-native API gateway used to manage, route, and secure API traffic in microservice architectures. It is widely deployed in Kubernetes environments and supports plugins for authentication, rate limiting, traffic transformation, and observability. The Admin API is the management plane that allows operators to configure routes, plugins, upstreams, and services — typically restricted to localhost or a private management network.

Overview

CVE-2022-24086 — wait, CVE-2022-24112 is an authentication bypass in Apache APISIX where an attacker can abuse the batch-requests plugin to route requests to the restricted Admin API, bypassing the IP-based access controls that normally restrict it to localhost. This allows creating or modifying APISIX routes with malicious serverless function definitions that execute arbitrary code on the gateway. CVSS 9.8. CISA added it to KEV in August 2022.

Affected Versions

Technical Details

Apache APISIX's Admin API is normally bound to 127.0.0.1 (localhost only) and protected by an API key. The batch-requests plugin is a legitimate feature allowing clients to bundle multiple API calls into a single HTTP request for efficiency. However, the plugin processes these batched sub-requests server-side — and in affected versions, it does not restrict which internal endpoints those sub-requests can target.

Attack flow:

1. Attacker sends a POST /apisix/batch-requests request to the public-facing APISIX data plane port (no authentication required for batch-requests)
2. The batch payload includes a sub-request targeting http://127.0.0.1:9080/apisix/admin/routes/ — the Admin API endpoint
3. The sub-request adds or modifies a route with a Lua serverless plugin payload containing OS command execution
4. APISIX evaluates the Lua code for subsequent requests matching the route, achieving RCE

The bypass works because the batch-requests plugin executes sub-requests in the context of the server itself (loopback), making the Admin API IP restriction ineffective.

Discovery

Discovered by security researchers and disclosed to the Apache Security team. The fix in APISIX 2.12.1 restricts the batch-requests plugin from forwarding requests to internal Admin API endpoints.

Exploitation Context

API gateways are high-value targets because they sit in front of all microservices and can intercept, modify, or reroute all API traffic. Compromising APISIX gives attackers:

• Ability to exfiltrate all API request/response data passing through the gateway
• Route manipulation to redirect traffic to attacker-controlled servers
• Serverless Lua execution for persistent code execution on the gateway node
• Potential access to upstream service credentials stored in APISIX configuration

The 6-month gap between patch and KEV addition indicates exploitation was observed against organizations running unpatched APISIX deployments.

Remediation

1. Upgrade to APISIX 2.12.1 or 2.10.4 LTS: The fix prevents batch-requests from targeting Admin API paths.
2. Disable the batch-requests plugin if unused: If your deployment does not use batched requests, disable the plugin entirely in your APISIX configuration.
3. Network isolation of Admin API: Ensure the Admin API port (default 9180) is not accessible from outside the management network even after patching.
4. Use Admin API key authentication: Ensure a strong API key is configured for the Admin API (allow_admin in config.yaml).
5. Monitor APISIX route configurations: Audit existing routes and plugins for unauthorized additions, particularly serverless Lua functions.