Skip to main content

The Vulnerability of Leaking Information in Error Response from jwt-auth Plugin(CVE-2022-29266)

· 2 min read

In APISIX 2.13.0 and previous versions, there is a problem of information leakage caused by the jwt- auth plugin.

Problem Description

The jwt- auth plugin has a security problem of leaking the user's secret key because the error message returned from the dependent library lua-resty-jwt contains sensitive information.

Affected Versions

Apache APISIX 2.13.0 and all previous versions


  1. Please upgrade to Apache APISIX 2.13.1 or above immediately.
  2. If it is not convenient to update the version, install the corresponding version of the patch on Apache APISIX to implement refactoring to bypass the vulnerability (after the patch is installed and takes effect, the error message received by the caller will be the fixed error message and will no longer contain sensitive information).

The following patches apply to LTS 2.13.x or major versions:

The following patches apply to the latest version of LTS 2.10.x:

Vulnerability details


Vulnerability public date: April 20, 2022

CVE details:

Contributor Profile

The vulnerability was discovered and reported by Tang Zhongyuan, Xie Hongfeng and Chen Bing of Kingdee Software (China). Thank you for your contribution to the Apache APISIX community.

Kingdee logo
Click to Preview