News KrakenD CE v2.7 released with better rate-limiting and security options

Adressing CVE-2022-1561: Crafted backend urls

by Daniel López

Jun 21, 2022

1 min read

There is a new vulnerability in the Lura Project software (which is the KrakenD’s engine). We have immediately corrected the problem in the subsequent release after its report. Please upgrade to the latest version.

We have also submitted the CVE-2022-1561

Vulnerability description

URL params not sanitized correctly in the package allow a malicious user to alter the backend URL defined for a pipe when remote users send crafty URL requests. The vulnerability does not affect KrakenD itself, but the consumed backend might be vulnerable.

Affected versions

Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions older than v2.0.0

Common Vulnerability Scoring System

The CVSS v3 score is 3.6 out of 10 (LOW severity)


Common Weakness Enumeration

CWE-471 Modification of Assumed-Immutable Data


  • Lura Project users upgrade to v2.0.2 or higher
  • Krakend CE users upgrade to v2.0.2 or higher
  • KrakenD EE users upgrade to v2.0.0 or higher


Thanks to Github user Fepame for finding this vulnerability.

Categories: Security

 Stay up to date with KrakenD releases and important updates