Marcin Niemiec

**Name of the Vulnerable Software and Affected Versions** Apache APISIX versions prior to 2.10.2 **Description** The issue is related to the uri-block plugin in Apache APISIX, which uses the `$request uri` variable without proper verification. This variable contains the full original request URI without normalization, making it possible for an attacker to construct a URI that bypasses the block list. For example, if the block list includes "^/internal/", an attacker could use a URI like "//internal/" to bypass it. This issue may also affect other plugins and custom developer plugins. **Recommendations** For Apache APISIX versions prior to 2.10.2, update to version 2.10.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the uri-block plugin until a patch is applied. Additionally, developers should review their custom plugins for similar issues related to the use of the `$request uri` variable.