Apache Camel security advisory: CVE-2025-27636

Severity

MODERATE

Summary

Apache Camel: Camel Message Header Injection via Improper Filtering

Versions affected

Apache Camel 4.10.0 before 4.10.2. Apache Camel 4.8.0 before 4.8.5. Apache Camel 3.10.0 before 3.22.4.

Versions fixed

3.22.4, 4.8.5 and 4.10.2

Description

The default header filter strategy in Camel could be bypassed by altering the casing of letters. The default filtering mechanism that only blocks headers starting with 'Camel', 'camel', or 'org.apache.camel.'. This allows attackers to inject headers which can be exploited to invoke arbitrary methods from the Bean registry and also supports using Simple Expression Language (or OGNL in some cases) as part of the method parameters passed to the bean. It's important to note that only methods in the same bean declared in the bean URI could be invoked.

Notes

The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-21828 refers to the various commits that resolved the issue, and have more details.

Mitigation

Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.

Credit

This issue was discovered by Mark Thorson of AT&T

References

PGP signed advisory data: CVE-2025-27636.txt.asc
Mitre CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27636
Edit this Page Back to top