Headline

GHSA-2c2h-2855-mf97: Apache Camel: Camel Message Header Injection via Improper Filtering

Bypass/Injection vulnerability in Apache Camel-Bean component under particular conditions.

This issue affects Apache Camel: from 4.9.0 through <= 4.10.1, from 4.0.0-M1 through <= 4.8.4, from 3.10.0 through <= 3.22.3.

Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.

This vulnerability is only present in the following situation. The user is using one of the following HTTP Servers via one the of the following Camel components

camel-servlet
camel-jetty
camel-undertow
camel-platform-http
camel-netty-http

and in the route, the exchange will be routed to a camel-bean producer. So ONLY camel-bean component is affected. In particular:

The bean invocation (is only affected if you use any of the above together with camel-bean component).
The bean that can be called, has more than 1 method implemented. In these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean.

The vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with "Camel", "camel", or "org.apache.camel.".

Mitigation: You can easily work around this in your Camel applications by removing the headers in your Camel routes. There are many ways of doing this, also globally or per route. This means you could use the removeHeaders EIP, to filter out anything like “cAmel, cAMEL” etc, or in general everything not starting with "Camel", “camel” or "org.apache.camel.".

3 months ago

ghsa

Open in Source

#vulnerability #apache #git #java #jira #maven

GitHub Advisory Database
GitHub Reviewed
CVE-2025-27636

Apache Camel: Camel Message Header Injection via Improper Filtering

Moderate severity GitHub Reviewed Published Mar 9, 2025 to the GitHub Advisory Database • Updated Mar 10, 2025

Package

maven org.apache.camel:camel-support (Maven)

Affected versions

>= 3.10.0, < 3.22.4

>= 4.9.0, < 4.10.2

>= 4.0.0-M1, < 4.8.5

Patched versions

3.22.4

4.10.2

4.8.5

Bypass/Injection vulnerability in Apache Camel-Bean component under particular conditions.

This issue affects Apache Camel: from 4.9.0 through <= 4.10.1, from 4.0.0-M1 through <= 4.8.4, from 3.10.0 through <= 3.22.3.

Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.

This vulnerability is only present in the following situation. The user is using one of the following HTTP Servers via one the of the following Camel components

camel-servlet
camel-jetty
camel-undertow
camel-platform-http
camel-netty-http

and in the route, the exchange will be routed to a camel-bean producer. So ONLY camel-bean component is affected. In particular:

The bean invocation (is only affected if you use any of the above together with camel-bean component).
The bean that can be called, has more than 1 method implemented.
In these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean.

The vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with "Camel", "camel", or "org.apache.camel.".

References

https://nvd.nist.gov/vuln/detail/CVE-2025-27636
https://lists.apache.org/thread/l3zcg3vts88bmc7w8172wkgw610y693z
http://www.openwall.com/lists/oss-security/2025/03/09/1
https://issues.apache.org/jira/browse/CAMEL-21828
https://camel.apache.org/security/CVE-2025-27636.html
apache/camel@23a833e
apache/camel@45a6b74
https://github.com/apache/camel/blob/camel-4.9.0/core/camel-support/src/main/java/org/apache/camel/support/DefaultHeaderFilterStrategy.java

Published to the GitHub Advisory Database

Mar 9, 2025

Last updated

Mar 10, 2025