Apache

Apisix

9 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.8

CVE-2025-27446

  • EPSS 0.01%
  • Published 06.07.2025 06:15:21
  • Last modified 14.07.2025 18:10:20

Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner). Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges. This issue affects Apache APISIX(java-pl...

5.3

CVE-2025-46647

  • EPSS 0.08%
  • Published 02.07.2025 11:08:47
  • Last modified 09.07.2025 15:25:56

A vulnerability of plugin openid-connect in Apache APISIX. This vulnerability will only have an impact if all of the following conditions are met: 1. Use the openid-connect plugin with introspection mode 2. The auth service connected to openid-conne...

6.3

CVE-2024-32638

  • EPSS 0.26%
  • Published 02.05.2024 10:15:08
  • Last modified 10.07.2025 16:00:20

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0. Users are recommended to upgrade to version 3.8.1, 3.9.1 or ...

7.5

CVE-2023-44487

Warning Media report Exploit
  • EPSS 94.44%
  • Published 10.10.2023 14:15:10
  • Last modified 11.06.2025 17:29:54

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

7.5

CVE-2022-29266

  • EPSS 36.45%
  • Published 20.04.2022 08:15:07
  • Last modified 21.11.2024 06:58:50

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information.

9.8

CVE-2022-25757

  • EPSS 0.55%
  • Published 28.03.2022 07:15:06
  • Last modified 21.11.2024 06:52:56

In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation ...

9.8

CVE-2022-24112

Warning Exploit
  • EPSS 94.44%
  • Published 11.02.2022 13:15:08
  • Last modified 06.03.2025 19:48:51

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the ...

7.5

CVE-2021-43557

Exploit
  • EPSS 58.26%
  • Published 22.11.2021 09:15:07
  • Last modified 21.11.2024 06:29:25

The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions....

6.5

CVE-2020-13945

Exploit
  • EPSS 93.82%
  • Published 07.12.2020 20:15:12
  • Last modified 21.11.2024 05:02:12

In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5.