-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - --- title: "Apache Camel Security Advisory - CVE-2025-27636" date: 2025-03-09T04:30:42+02:00 url: /security/CVE-2025-27636.html draft: false type: security-advisory cve: CVE-2025-27636 severity: MODERATE summary: "Camel Message Header Injection via Improper Filtering" description: "This vulnerability is only present in the following situation. The user is using one of the following HTTP Servers via one the of the following Camel components: camel-servlet, camel-jetty, camel-undertow, camel-platform-http and camel-netty-http and in the route, the exchange will be routed to a camel-bean producer. So ONLY camel-bean component is affected. In particular: The bean invocation (is only affected if you use any of the above together with camel-bean component) and the bean that can be called, has more than 1 method implemented. In these, limited and particular, conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the SAME bean. The vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with 'Camel', 'camel', or 'org.apache.camel.'. This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, to call another method on the bean, than was coded in the application. In the camel-jms component, then a mallicous header can be used to send the message to another queue (on the same broker) than was coded in the application. The attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include malicious HTTP headers in the HTTP requests that are send to the Camel application. All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box. In terms of usage of the default header filter strategy the list of components using that is: camel-activemq camel-activemq6 camel-amqp camel-aws2-sqs camel-azure-servicebus camel-cxf-rest camel-cxf-soap camel-http camel-jetty camel-jms camel-kafka camel-knative camel-mail camel-nats camel-netty-http camel-platform-http camel-rest camel-servlet camel-sjms camel-spring-rabbitmq camel-stomp camel-tahu camel-undertow camel-xmpp" mitigation: "Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. Also, users could use removeHeaders EIP, to filter out anything like 'cAmel, cAMEL' etc, or in general everything not starting with 'Camel', 'camel' or 'org.apache.camel.'." credit: "This issue was discovered by Mark Thorson of AT&T" affected: Apache Camel 4.10.0 before 4.10.2. Apache Camel 4.8.0 before 4.8.5. Apache Camel 3.10.0 before 3.22.4. fixed: 3.22.4, 4.8.5 and 4.10.2 - --- The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-21828 refers to the various commits that resolved the issue, and have more details. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmfPKdsACgkQ406fOAL/ QQAowQgApMrMHcnk0VOdlYNDVhfzbuMeoOxPEEXUnMHb/Kg6pVH3NTDlwF/c1zsu gNhe+zJRiFNQGpkdzJYgO4Z+6YtijPRZN/hWGjJ9SZ/N2PHGkUSEnPZO6hjKO1Sh vjhUM4PIW677oOxoBp4e8JqnM4QSz/7oE9MToCzYqw53ojrRn5eo+tFUvG9XfYd2 VCDnTN9Kj6ZC/URqjMiCROoeW0YGACLVLnzmJy8XQiSNI66dpwvke/i/TRxpswIP uEgHqURILJZdtP0kYmEXHjjBAjfbgWyg/9NzjasiPUXWOi3vXUaIJ4g2b8w00mEK wchO7hhpAVWa4pTe4ed4EctsvE0AYQ== =j4xI -----END PGP SIGNATURE-----