CVE-2022-25757

Name of the Vulnerable Software and Affected Versions Apache APISIX versions prior to 2.13.0

Description The issue allows an attacker to bypass body schema validation in the request-validation plugin by passing a JSON with a duplicate key. This can be achieved by sending a JSON payload such as {"string payload":"bad","string payload":"good"} to hide the "bad" input. The attack is successful if three conditions are met: the system uses body schema validation in the request-validation plugin, the upstream application uses a special JSON library that chooses the first occurred value (like jsoniter or gojay), and the upstream application does not validate the input anymore.

Recommendations For Apache APISIX versions prior to 2.13.0, update to version 2.13.0 or later to resolve the issue. As a temporary workaround, consider re-encoding the validated JSON input back into the request body at the side of Apache APISIX to prevent bypassing of the body schema validation.