-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- ---
title: "Apache Camel Security Advisory - CVE-2025-27636"
date: 2025-03-09T04:30:42+02:00
url: /security/CVE-2025-27636.html
draft: false
type: security-advisory
cve: CVE-2025-27636
severity: MODERATE
summary: "Apache Camel: Camel Message Header Injection via Improper Filtering"
description: "The default header filter strategy in Camel could be bypassed by altering the casing of letters. The default filtering mechanism that only blocks headers starting with 'Camel', 'camel', or 'org.apache.camel.'. This allows attackers to inject headers which can be exploited to invoke arbitrary methods from the Bean registry and also supports using Simple Expression Language (or OGNL in some cases) as part of the method parameters passed to the bean. It's important to note that only methods in the same bean declared in the bean URI could be invoked."
mitigation: "Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases."
credit: "This issue was discovered by Mark Thorson of AT&T"
affected: Apache Camel 4.10.0 before 4.10.2. Apache Camel 4.8.0 before 4.8.5. Apache Camel 3.10.0 before 3.22.4.
fixed: 3.22.4, 4.8.5 and 4.10.2 
- ---

The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-21828 refers to the various commits that resolved the issue, and have more details.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmfNc5IACgkQ406fOAL/
QQBf3Qf7BIb5J4mT85gZHlcYtqGkUnS9BLJSAI2odYCy9M9bvskA9vIqVHLDPXrM
YBKDaesnzGbdc9HFwJ9WLxKjwVjLfUL6UH02eSGrg2gHMKgMTvmumjLcHsYZIodl
7ALbTjsU+RkdluDd9RUJylDGp8T7dFXPDs78adYNO5b+APdPk/jz1LpUQ1nCSzwV
oOiiABPTJwK4qrPaWWApatbLYQulHsfWqXJ8guaeb/IbqV0u7jDD08/F5E1ph8AF
zrrn4t4GLyU6OJUeiECy/ZP1w5MWzipt9cMPQn97oPbjJH4CGpQCS8pO6bMj5JXf
/LITN6o6RMqDxSszdmF0UVfHbiCo8w==
=KuUE
-----END PGP SIGNATURE-----