CVE-2022-24112

CVE-2022-24112: apisix/batch-requests plugin allows overwriting the X-REAL-IP header

Vendor Apache Software Foundation
Product Apache APISIX
Weakness CWE-290
KEV Status Known Exploited
Published February 11, 2022
Last update October 21, 2025

CVSS base score

What the vulnerability does

01Description

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.

CISA mandated remediation

02CISA Required Action

Apply updates per vendor instructions.

Key dates

03Disclosure timeline

February 11, 2022 CVE published
October 21, 2025 Record updated