Exploit Paths
Grounded case

Apache APISIX: route bypass and sphere crossing

Path normalization and route construction changed what protected routes became reachable. This is a strong public example of trust-boundary movement happening through routing logic rather than dramatic exploit chains.

Path at a glance

How this route unfolds.

Starting condition

An attacker controls the request route presented to the gateway.

Capability shift

A path-penetration flaw in route handling changes how the gateway interprets the requested path.

Boundary effect

The route bypasses access-control expectations and reaches protected route space that should have stayed outside attacker reach.

Strongest outcome

The attacker reaches stronger internal routes and actions that belong to a more trusted sphere.

Case metadata

Apache APISIX

Primary CVE
CVE-2021-43557
Strongest primitive

Reference control

Strongest outcome

Protected route access and cross-sphere movement

  • It broadens the model beyond file traversal and shows that route-space decisions can alter trust boundaries directly.
  • It makes sphere crossing legible without needing a long multi-bug chain.
  • It helps explain why exploit-path thinking needs to model normalization and routing behavior explicitly.
Actors and objects

What is in play.

Attacker-facing surface

The public API gateway route is the visible control surface for the case.

Reachable objects

Protected internal routes and operations that should have stayed behind access-control checks.

Trust and execution spheres

The path moves from public route space into protected route space, which is a clean trust-boundary crossing even without a filesystem or process-execution pivot.

Framework mapping

How this case maps into the model.

Primitive families

Reference control / Authorization bypass / Sphere crossing

Path roles

Boundary crossing / Leverage gain

Outcome classes

Privileged action / Cross-sphere movement

  • Reference control matters because the path changes what route the system believes it is resolving.
  • Authorization bypass appears because the route reaches protected behavior that should have remained outside the current trust context.
  • Sphere crossing is the key pattern because the path moves into a stronger route space without needing a second visibly separate exploit primitive first.
Qualifiers

What makes the route stay weak or get stronger.

  • The route depends on the gateway interpreting the path differently than the access-control expectations assume.
  • The strongest effect is route-space reachability rather than immediate code execution.
  • This case matters because exploit paths can become strategically important before they look like classic dramatic chains.
Source links

Trace the public record.

Apache APISIX advisory blog

https://apisix.apache.org/blog/2021/11/23/cve-2021-43557/

 NVD entry for CVE-2021-43557

https://nvd.nist.gov/vuln/detail/CVE-2021-43557
Back to reference Browse cases