Skip to main content

Apisix

7 CVEs product

Monthly

CVE-2025-27446 HIGH This Week

Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner). Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges. This issue affects Apache APISIX(java-plugin-runner): from 0.2.0 through 0.5.0. Users are recommended to upgrade to version 0.6.0 or higher, which fixes the issue.

Apache Information Disclosure Apisix
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-46647 MEDIUM PATCH This Month

CVE-2025-46647 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Apache Information Disclosure Apisix
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2024-32638 MEDIUM This Month

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin.8.0, 3.9.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Request Smuggling Information Disclosure Apisix
NVD
CVSS 3.1
6.3
EPSS
1.1%
CVE-2022-29266 HIGH This Week

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Apisix
NVD
CVSS 3.1
7.5
EPSS
7.8%
CVE-2022-25757 CRITICAL Act Now

In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Apisix
NVD
CVSS 3.1
9.8
EPSS
2.4%
CVE-2021-43557 HIGH POC THREAT This Week

The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Command Injection Apisix
NVD
CVSS 3.1
7.5
EPSS
14.6%
CVE-2020-13945 MEDIUM POC PATCH THREAT This Month

In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Apache Information Disclosure Apisix
NVD
CVSS 3.1
6.5
EPSS
73.0%
EPSS 0% CVSS 7.8
HIGH This Week

Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner). Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges. This issue affects Apache APISIX(java-plugin-runner): from 0.2.0 through 0.5.0. Users are recommended to upgrade to version 0.6.0 or higher, which fixes the issue.

Apache Information Disclosure Apisix
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

CVE-2025-46647 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Apache Information Disclosure Apisix
NVD
EPSS 1% CVSS 6.3
MEDIUM This Month

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin.8.0, 3.9.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Request Smuggling Information Disclosure +1
NVD
EPSS 8% CVSS 7.5
HIGH This Week

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Apisix
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Apisix
NVD
EPSS 15% CVSS 7.5
HIGH POC THREAT This Week

The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Command Injection Apisix
NVD
EPSS 73% CVSS 6.5
MEDIUM POC PATCH THREAT This Month

In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Apache Information Disclosure Apisix
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy