CVE-2022-24112— apisix/batch-requests plugin allows overwriting the X-REAL-IP header
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2022-24112
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
apisix/batch-requests plugin allows overwriting the X-REAL-IP header
Source: NVD (National Vulnerability Database)
Vulnerability Description
An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用欺骗进行的认证绕过
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache APISIX 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache Apisix是美国阿帕奇(Apache)基金会的一个云原生的微服务API网关服务。该软件基于 OpenResty 和 etcd 来实现,具备动态路由和插件热加载,适合微服务体系下的 API 管理。 Apache APISIX 中存在安全漏洞,该漏洞源于产品的batch-requests插件未对用户的批处理请求进行有效限制。攻击者可通过该漏洞绕过Admin Api的限制。 以下产品及版本受到影响:Apache APISIX 2.10.4 之前版本、Apache APISIX 2.12.1 之前
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache APISIX | Apache APISIX 2.12 ~ 2.12.1 | - |
II. Public POCs for CVE-2022-24112
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | CVE-2022-24112:Apache APISIX apisix/batch-requests RCE | https://github.com/Mr-xn/CVE-2022-24112 | POC Details |
| 2 | Apache APISIX apisix/batch-requests RCE | https://github.com/Udyz/CVE-2022-24112 | POC Details |
| 3 | Apache APISIX batch-requests RCE(CVE-2022-24112) | https://github.com/Axx8/CVE-2022-24112 | POC Details |
| 4 | CVE-2022-24112: Apache APISIX Remote Code Execution Vulnerability | https://github.com/Mah1ndra/CVE-2022-24112 | POC Details |
| 5 | Apache APISIX Remote Code Execution (CVE-2022-24112) proof of concept exploit | https://github.com/M4xSec/Apache-APISIX-CVE-2022-24112 | POC Details |
| 6 | Apache APISIX 2.12.1 Remote Code Execution by IP restriction bypass and using default admin AIP token | https://github.com/kavishkagihan/CVE-2022-24112-POC | POC Details |
| 7 | Apache APISIX < 2.12.1 Remote Code Execution and Docker Lab | https://github.com/twseptian/cve-2022-24112 | POC Details |
| 8 | CVE-2022-24112_POC | https://github.com/Acczdy/CVE-2022-24112_POC | POC Details |
| 9 | None | https://github.com/wshepherd0010/CVE-2022-24112-Lab | POC Details |
| 10 | New exploit for Apache APISIX 2.12.1 - Remote Code Execution (RCE) | https://github.com/btar1gan/exploit_CVE-2022-24112 | POC Details |
| 11 | Apache APISIX apisix/batch-requests RCE | https://github.com/CrackerCat/CVE-2022-24112 | POC Details |
| 12 | A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-24112.yaml | POC Details |
| 13 | Apache APISIX batch-requests RCE(CVE-2022-24112) | https://github.com/SecNN/CVE-2022-24112 | POC Details |
| 14 | None | https://github.com/fatkz/CVE-2022-24112 | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2022-24112
请登录查看更多情报信息。
- https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2022-24112
Same Patch Batch · Apache Software Foundation · 2022-02-11 · 3 CVEs total
| CVE-2022-24289 | Deserialization of untrusted data in the Hessian Component of Apache Cayenne 4.1 with olde | |
| CVE-2021-44521 | Remote code execution for scripted UDFs |
IV. Related Vulnerabilities
Same product: Apache APISIX
- CVE-2026-31923
Apache APISIX: Openid-connect `tls_verify` field is disabled - CVE-2026-31924
Apache APISIX: Plugin tencent-cloud-cls log export uses plai - CVE-2026-31908
Apache APISIX: forward auth plugin allows header injection - CVE-2025-62232
Apache APISIX: basic-auth logs plaintext credentials at info - CVE-2025-46647
Apache APISIX: improper validation of issuer from introspect
Same vendor: Apache Software Foundation
- CVE-2026-39816
Apache NiFi: Missing Execute Code Required Permission on Tin - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro - CVE-2026-25077
Apache CloudStack: Unauthenticated Command Injection in Dire - CVE-2025-69233
Apache CloudStack: Domain/account resources limits not honor - CVE-2025-66467
Apache CloudStack: MinIO policy remains intact on bucket del
Same weakness: CWE-290
- CVE-2021-47923
OpenCart 3.0.3.8 Session Fixation via OCSESSID Cookie - CVE-2026-42354
Sentry: Improper authentication on SAML SSO process allows u - CVE-2026-44118
OpenClaw < 2026.4.22 - Owner Context Spoofing via Bearer Tok - CVE-2026-39858
Traefik: Forwarded alias spoofing top pre-auth decision bypa - CVE-2018-25317
Tenda W3002R/A302/W309R V5.07.64_en Cookie Session Weakness
V. Comments for CVE-2022-24112
No comments yet