CVE-2022-24112

Known Exploited Public Exploit
apisix/batch-requests plugin allows overwriting the X-REAL-IP header

Description

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.

Remediation

Workaround:

  • 1. explicitly configure the enabled plugins in `conf/config.yaml`, ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`) Or 1. upgrade to 2.10.4 or 2.12.1.

Category

9.8
CVSS
Severity: Critical
CVSS 3.1 •
CVSS 2.0 •
EPSS 94.34% Top 5%
KEV Since 
Vendor Advisory apache.org
Affected: Apache Software Foundation Apache APISIX
Published at:
Updated at:

References

Frequently Asked Questions

What is the severity of CVE-2022-24112?
CVE-2022-24112 has been scored as a critical severity vulnerability.
How to fix CVE-2022-24112?
As a workaround for remediating CVE-2022-24112: 1. explicitly configure the enabled plugins in `conf/config.yaml`, ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`) Or 1. upgrade to 2.10.4 or 2.12.1.
Is CVE-2022-24112 being actively exploited in the wild?
It is confirmed that CVE-2022-24112 is actively exploited. Be extra cautious if you are using vulnerable components. According to its EPSS score, there is a ~94% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-24112?
CVE-2022-24112 affects Apache Software Foundation Apache APISIX.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.