Impact
The vulnerability is a URL redirection flaw (CWE‑601) that allows an attacker to control the target of redirects by manipulating client headers. Unauthorized redirects can send users to malicious sites, potentially exposing session tokens or facilitating phishing attacks.
Affected Systems
Affected software is Apache APISIX, versions 3.0.0 through 3.16.0. The vendor recommends upgrading to 3.17.0, which addresses the redirect issue. Systems running earlier releases are at risk.
Risk and Exploitability
The CVSS score of 2.1 categorizes the vulnerability as low severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, suggesting a modest exploitation probability at present. The likely attack vector is remote, from crafted HTTP requests that modify the Host header or similar fields to influence the CAS service URL. Mitigation requires applying the patch and ensuring that redirect destinations are validated against an approved list to block untrusted endpoints.
OpenCVE Enrichment