In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, `{"string_payload":"bad","string_payload":"good"}` can be used to hide the "bad" input. Systems satisfy three conditions below are affected by this attack: 1. use body_schema validation in the request-validation plugin 2. upstream application uses a special JSON library that chooses the first occurred value, like jsoniter or gojay 3. upstream application does not validate the input anymore. The fix in APISIX is to re-encode the validated JSON input back into the request body at the side of APISIX. Improper Input Validation vulnerability in __COMPONENT__ of Apache APISIX allows an attacker to __IMPACT__. This issue affects Apache APISIX Apache APISIX version 2.12.1 and prior versions.
Fixes

Solution

No solution given by the vendor.


Workaround

1. upgrade APISIX to 2.13.0 if you need to use the body_schema validation in the request-validation plugin 2. add additional validation in the application code, embrace defensive programming

History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2024-08-03T04:49:43.256Z

Reserved: 2022-02-22T00:00:00

Link: CVE-2022-25757

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-03-28T07:15:06.730

Modified: 2024-11-21T06:52:56.853

Link: CVE-2022-25757

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.