CVE-2022-25757 Overview
CVE-2022-25757 is an improper input validation vulnerability in Apache APISIX versions prior to 2.13.0. The flaw allows attackers to bypass the body_schema validation in the request-validation plugin by submitting JSON payloads containing duplicate keys. The Lua-based JSON parser lua-cjson selects the last occurrence of a duplicate key, while certain upstream JSON libraries such as jsoniter or gojay select the first occurrence. This parser disagreement enables attackers to smuggle malicious values past APISIX validation while delivering them to the upstream application [CWE-20].
Critical Impact
Remote, unauthenticated attackers can bypass request schema validation and inject unvalidated input into upstream applications, undermining the API gateway's security controls.
Affected Products
- Apache APISIX versions 2.12.1 and prior
- Apache APISIX deployments using the request-validation plugin with body_schema
- Upstream applications using JSON parsers that select the first duplicate key value (jsoniter, gojay)
Discovery Timeline
- 2022-03-28 - CVE-2022-25757 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-25757
Vulnerability Analysis
Apache APISIX is an open-source API gateway that uses the request-validation plugin to enforce JSON schema constraints on incoming request bodies. The plugin relies on lua-cjson to parse client-supplied JSON before applying schema rules. When the parser encounters duplicate keys, it retains only the final occurrence and discards earlier values. Schema validation therefore operates on a reduced view of the payload.
After validation succeeds, APISIX forwards the original request body to the upstream service without re-encoding it. If the upstream uses a JSON library that prefers the first occurrence of a duplicate key, the upstream sees a different value than APISIX validated. This parser inconsistency creates a validation bypass at the gateway boundary.
For example, the payload {"string_payload":"bad","string_payload":"good"} is validated by APISIX against the value "good" but processed by jsoniter or gojay upstream as "bad". Any security control that depends on the gateway sanitizing input fails closed only at the gateway, not at the application.
Root Cause
The root cause is divergent behavior across JSON parsers for non-unique keys, combined with APISIX forwarding the raw original payload rather than the normalized parsed representation. RFC 8259 leaves duplicate key handling implementation-defined, and APISIX did not enforce a canonical interpretation.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker crafts a JSON request containing at least one duplicate key, places the value that would pass validation in the position favored by lua-cjson (last occurrence), and places the malicious payload in the position favored by the upstream parser (first occurrence). The request traverses APISIX, passes schema checks, and reaches the application with attacker-controlled input.
The vulnerability manifests only when three conditions hold: the route uses body_schema in the request-validation plugin, the upstream consumes the body with a first-key-wins JSON library, and the upstream omits its own input validation. See the Apache Mailing List Thread for the full technical advisory.
Detection Methods for CVE-2022-25757
Indicators of Compromise
- Inbound JSON request bodies containing duplicate object keys, particularly for fields covered by body_schema rules
- Upstream application logs showing field values that differ from values logged by APISIX for the same request
- Successful requests to routes protected by request-validation whose payloads contain values that should have been rejected
Detection Strategies
- Inspect raw request bodies at the API gateway and alert on JSON objects containing repeated keys
- Compare parsed request fields between APISIX access logs and upstream application logs to surface parser disagreement
- Add a pre-validation step that rejects payloads whose top-level or nested objects contain duplicate keys
Monitoring Recommendations
- Enable verbose request-validation plugin logging and forward logs to a centralized analytics platform for correlation
- Monitor APISIX versions in production and alert when instances run a release earlier than 2.13.0
- Track anomalous spikes in request-validation plugin pass rates for endpoints handling sensitive fields
How to Mitigate CVE-2022-25757
Immediate Actions Required
- Upgrade Apache APISIX to version 2.13.0 or later, which re-encodes the validated JSON back into the request body before forwarding it upstream
- Audit all routes that use the request-validation plugin with body_schema and inventory upstream services consuming those routes
- Add server-side input validation in upstream applications so the gateway is not the sole enforcement point
Patch Information
The fix shipped in Apache APISIX 2.13.0. APISIX now re-encodes the parsed JSON object after validation and replaces the original request body, eliminating the duplicate-key discrepancy between the gateway and upstream parsers. Refer to the Apache Mailing List Thread and the Openwall OSS-Security Discussion for release details.
Workarounds
- Deploy a pre-filter that rejects JSON payloads containing duplicate keys before they reach the request-validation plugin
- Standardize upstream services on a JSON parser that matches lua-cjson semantics (last-key-wins) or one that rejects duplicate keys outright
- Enforce defense-in-depth by requiring upstream applications to revalidate all input against the same schema used at the gateway
# Verify the running APISIX version and upgrade if below 2.13.0
apisix version
# Upgrade via package manager or container image, for example:
docker pull apache/apisix:2.13.0-alpine
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
