Apache Camel Security Advisory - CVE-2025-27636

Apache Camel security advisory: CVE-2025-27636

Severity

MODERATE

Summary

Apache Camel-Bean component: Camel Message Header Injection via Improper Filtering

Versions affected

Apache Camel 4.10.0 before 4.10.2. Apache Camel 4.8.0 before 4.8.5. Apache Camel 3.10.0 before 3.22.4.

Versions fixed

3.22.4, 4.8.5 and 4.10.2

Description

This vulnerability is only present in the following situation. The user is using one of the following HTTP Servers via one the of the following Camel components: camel-servlet, camel-jetty, camel-undertow, camel-platform-http and camel-netty-http and in the route, the exchange will be routed to a camel-bean producer. So ONLY camel-bean component is affected. In particular: The bean invocation (is only affected if you use any of the above together with camel-bean component) and the bean that can be called, has more than 1 method implemented. In these, limited and particular, conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the SAME bean. The vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with 'Camel', 'camel', or 'org.apache.camel.'. This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, to call another method on the bean, than was coded in the application. In the camel-jms component, then a mallicous header can be used to send the message to another queue (on the same broker) than was coded in the application. The attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include malicious HTTP headers in the HTTP requests that are send to the Camel application. All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box. In terms of usage of the default header filter strategy the list of components using that is: camel-activemq camel-activemq6 camel-amqp camel-aws2-sqs camel-azure-servicebus camel-cxf-rest camel-cxf-soap camel-http camel-jetty camel-jms camel-kafka camel-knative camel-mail camel-nats camel-netty-http camel-platform-http camel-rest camel-servlet camel-sjms camel-spring-rabbitmq camel-stomp camel-tahu camel-undertow camel-xmpp

Notes

The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-21828 refers to the various commits that resolved the issue, and have more details.

Mitigation

Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. Also, users could use removeHeaders EIP, to filter out anything like ‘cAmel, cAMEL’ etc, or in general everything not starting with ‘Camel’, ‘camel’ or ‘org.apache.camel.’.

Credit

This issue was discovered by Mark Thorson of AT&T

References

PGP signed advisory data: CVE-2025-27636.txt.asc
Mitre CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27636