CVE-2022-24112 Overview
CVE-2022-24112 is a critical authentication bypass vulnerability in Apache APISIX that allows attackers to abuse the batch-requests plugin to bypass IP restrictions on the Admin API. A default configuration of Apache APISIX using the default API key is vulnerable to remote code execution. The vulnerability stems from a bug in the batch-requests plugin's IP validation logic that should override the client IP with its real remote IP, but this check can be bypassed due to a flaw in the code implementation.
Critical Impact
This vulnerability enables unauthenticated remote code execution on Apache APISIX instances using default configurations. It has been added to CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.
Affected Products
- Apache APISIX (versions prior to security patch)
- Apache APISIX with batch-requests plugin enabled
- Apache APISIX with default API key configuration
Discovery Timeline
- 2022-02-11 - CVE-2022-24112 published to NVD
- 2025-10-23 - Last updated in NVD database
Technical Details for CVE-2022-24112
Vulnerability Analysis
This vulnerability is classified under CWE-290 (Authentication Bypass by Spoofing). The batch-requests plugin in Apache APISIX is designed to allow multiple API requests to be bundled and sent in a single HTTP request. The plugin includes a security check intended to validate the client's real IP address to enforce Admin API access restrictions.
The core issue lies in how the batch-requests plugin processes incoming requests. The plugin contains logic to override the client IP with the actual remote IP address to prevent IP spoofing attacks. However, due to a bug in this validation logic, attackers can craft requests that bypass this check entirely, allowing them to send requests to the Admin API as if they originated from a trusted IP address.
When Apache APISIX is deployed with the default API key (a common misconfiguration), successful exploitation of this bypass leads directly to remote code execution. Even when the admin key has been changed or the Admin API port differs from the data panel port, the vulnerability still enables bypassing IP restrictions on the data panel.
Root Cause
The root cause is a logic flaw in the batch-requests plugin's IP validation mechanism. The check designed to replace the spoofed client IP with the real remote IP can be circumvented, allowing attackers to impersonate trusted internal IP addresses. This authentication bypass, combined with the batch-requests functionality that forwards requests internally, creates a pathway to reach protected Admin API endpoints.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability remotely by sending specially crafted HTTP requests to the batch-requests endpoint. The attack flow involves:
- Sending a crafted batch request to the publicly accessible APISIX endpoint
- Exploiting the IP validation bypass to have the request appear from a trusted source
- Using the batch-requests plugin to forward malicious requests to the Admin API
- On default configurations, leveraging Admin API access to achieve remote code execution
The vulnerability is particularly severe because it can be exploited without any prior authentication. Technical details on exploitation techniques are available in the Packet Storm RCE Exploit and Packet Storm RCE Update publications.
Detection Methods for CVE-2022-24112
Indicators of Compromise
- Unusual HTTP requests to the /apisix/batch-requests endpoint containing Admin API paths
- Requests attempting to access Admin API endpoints from external IP addresses
- Evidence of unauthorized route or plugin configuration changes in APISIX
- Unexpected process execution or shell commands originating from APISIX service accounts
Detection Strategies
- Monitor HTTP access logs for batch-requests endpoint activity with suspicious payloads
- Implement network-level detection for requests containing Admin API paths within batch-request bodies
- Deploy Web Application Firewall (WAF) rules to inspect and block malicious batch-request patterns
- Enable detailed audit logging for all Admin API configuration changes
Monitoring Recommendations
- Alert on any external network access attempts to Admin API endpoints
- Monitor for configuration changes to routes, plugins, or upstream settings
- Track APISIX process behavior for anomalous child process creation
- Implement network segmentation monitoring between APISIX and backend services
How to Mitigate CVE-2022-24112
Immediate Actions Required
- Change the default Admin API key immediately if still in use
- Disable the batch-requests plugin if not required for operations
- Restrict Admin API access to trusted internal IP addresses at the network level
- Apply the latest security patches from Apache APISIX
Patch Information
Apache has released security patches addressing CVE-2022-24112. Organizations should update to the latest patched version of Apache APISIX immediately. Refer to the Apache Security Mailing List for official patch information and the Openwall OSS-Security Discussion for additional security guidance.
This vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog, making remediation mandatory for federal agencies and strongly recommended for all organizations.
Workarounds
- Disable the batch-requests plugin by removing it from the enabled plugins list in the APISIX configuration
- Configure firewall rules to block external access to the batch-requests endpoint
- Change the Admin API to use a non-default port and bind it to localhost or internal network interfaces only
- Implement network-level ACLs restricting Admin API access to specific management IP addresses
# Configuration example - Disable batch-requests plugin in config.yaml
# Remove 'batch-requests' from the plugins list
plugins:
- api-breaker
- authz-keycloak
- basic-auth
# - batch-requests # DISABLED for CVE-2022-24112 mitigation
- consumer-restriction
- cors
# Restrict Admin API to localhost only
apisix:
admin_key:
- name: "admin"
key: "CHANGE_THIS_TO_UNIQUE_SECURE_KEY" # Never use default key
role: admin
admin_listen:
ip: 127.0.0.1 # Bind to localhost only
port: 9180
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
