For APISIX versions 1.0 and later, logging in basic-auth leads to plaintext usernames and passwords written to error logs.
Problem Description
Sensitive data exposure in basic-auth causes plaintext usernames and passwords to be written to error logs and forwarded to log sinks when the log level is set to INFO/DEBUG. This poses a high risk of credential compromise through log access.
Affected Versions
This issue affects all Apache APISIX versions starting from 1.0 through 3.14.
Solution
Users are recommended to upgrade to version 3.14, which fixes this issue.
Vulnerability details
Severity: Moderate
Vulnerability publication date: October 30, 2025
CVE details: https://nvd.nist.gov/vuln/detail/CVE-2025-62232
Contributor Profile
This vulnerability was discovered and reported by Mapta / BugBunny_ai. Thank you for your contribution to the Apache APISIX community.