pkg:Bitnami/apisix

13 total CVEsCRITICAL3HIGH5MEDIUM5

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.8CVE-2022-24112⚠ KEVapisix/batch-requests plugin allows overwriting the X-REAL-IP header
    from 0, < 2.10.4, >= 2.11.0, < 2.12.1
  • MEDIUM5.3CVE-2023-44487⚠ KEVnghttp2 - security update
    from 0, < 3.6.1
  • CRITICAL9.8CVE-2022-25757Apache APISIX: the body_schema check in request-validation plugin can be bypassed
    from 0, < 2.13.0
  • CRITICAL9.1CVE-2026-31908Apache APISIX: forward auth plugin allows header injection
    >= 2.12.0, < 3.16.0
  • HIGH7.8CVE-2025-27446Apache APISIX Java Plugin Runner: Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges
    >= 0.2.0, < 3.9.0
  • HIGH7.5CVE-2026-31923Apache APISIX: Openid-connect `tls_verify` field is disabled by default
    >= 0.7.0, < 3.16.0
  • HIGH7.5CVE-2025-62232Apache APISIX: basic-auth logs plaintext credentials at info level
    >= 1.0.0, < 3.14.0
  • HIGH7.5CVE-2021-43557Path traversal in request_uri variable
    from 0, < 2.10.2
  • HIGH7.5CVE-2022-29266apisix/jwt-auth may leak secrets in error response
    from 0, < 2.13.1
  • MEDIUM6.5CVE-2020-13945In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules.
    >= 1.2.0, < 1.5.1
  • MEDIUM6.3CVE-2024-32638Apache APISIX: Forward-Auth Request Smuggling
    >= 3.8.0, < 3.9.1
  • MEDIUM5.3CVE-2026-31924Apache APISIX: Plugin tencent-cloud-cls log export uses plaintext HTTP
    >= 2.99.0, < 3.16.0
  • MEDIUM5.3CVE-2025-46647Apache APISIX: improper validation of issuer from introspection discovery url in plugin openid-connect
    from 0, < 3.12.0