Detect and Fix the Critical Apifox Remote Code Execution Vulnerability

Vulnerability Overview

Apifox, a popular API debugging tool, was found to contain a critical remote code execution (RCE) vulnerability that allows malicious JavaScript injected via a compromised CDN to read local sensitive files such as ~/.ssh/ private keys, Git credentials, tokens, and shell history ( .zsh_history, .bash_history) and automatically upload them to the attacker‑controlled domain apifox.it.com. The exploit can affect developers who use SSH key login, Git repositories, internal jump hosts, or VPN servers, potentially leading to server compromise, code leakage, and production‑environment risk.

Self‑Check Commands

1. Core Feature Detection

Search the local Apifox cache for the malicious code signatures rl_mc or rl_headers:

grep -arlE "rl_mc|rl_headers" ~/Library/Application\ Support/Apifox/Local\ Storage/leveldb

On Windows PowerShell:

Select-String -Path "$env:APPDATA\apifox\Local Storage\leveldb\*" -Pattern "rl_mc","rl_headers" -List

If the command returns no results, the machine is likely safe; any file paths indicate infection and immediate remediation is required.

2. Verify Connection to Malicious Domain

Mac (requires sudo):

sudo log show --predicate 'process == "Apifox" AND eventMessage contains "apifox.it.com"' --last 30d

Windows:

Get-WinEvent | Where-Object Message -match "apifox.it.com"

No records mean no data exfiltration; any matches suggest that private files may have been leaked.

3. Check Access to Private Files

Mac (requires sudo):

sudo log show --predicate 'process == "Apifox" AND (eventMessage contains ".ssh" OR eventMessage contains "git")' --last 30d --info --debug

On Windows:

Get-WinEvent | Where-Object Message -match "\.ssh|git"

Zero results indicate no private file reads; otherwise, the attacker may have accessed keys or tokens.

Remediation Steps

1. Upgrade Apifox to version v2.8.19 or later, fully exit the application, and delete all local caches:

rm -rf ~/Library/Application\ Support/Apifox/
rm -rf ~/Library/Caches/Apifox/

2. Block the malicious domain by adding it to the hosts file:

echo "127.0.0.1 apifox.it.com" | sudo tee -a /etc/hosts

3. Rotate SSH keys on all machines and update the corresponding public keys in Git repositories, jump hosts, and cloud servers. Revoke all old tokens and generate new ones:

cd ~/.ssh
mkdir backup
mv id_rsa* backup/
ssh-keygen -t ed25519

4. Clean command‑history files that may contain plaintext passwords:

~/.zsh_history
~/.bash_history

5. For enterprise environments, administrators should audit Git account login and clone logs for the past 30 days, inspect jump‑host access, and enable two‑factor authentication (2FA) for repositories.

Conclusion

The Apifox vulnerability is a “nuclear‑grade” flaw because it enables silent exfiltration of highly sensitive files. Teams that store private data locally should consider using self‑hosted API management solutions that keep all data behind the corporate firewall, thereby preventing CDN hijacking and malicious script injection.