Bypass/Injection Vulnerability in Apache Camel by Apache
CVE-2025-27636

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Camel
Vendor: CVE Published:; 9 March 2025

Summary

A bypass and injection vulnerability exists in Apache Camel stemming from a flaw in its default header filtering mechanism. This flaw allows attackers to circumvent protective measures by manipulating the casing of header names. As a result, they can inject malicious headers which may invoke arbitrary methods from the Bean registry within the application. The vulnerability affects specific versions of Apache Camel, highlighting the urgent need for users to upgrade to secure versions. Developers are advised to remove headers in Camel routes as a workaround to prevent attacks.

Affected Version(s)

Apache Camel 4.10.0 < 4.10.2

Apache Camel 4.8.0 < 4.8.5

Apache Camel 3.10.0 < 3.22.4

References

https://lists.apache.org/thread/l3zcg3vts88bmc7w8172wkgw6...

vendor-advisory

https://issues.apache.org/jira/browse/CAMEL-21828

issue-tracking

Timeline

Vulnerability published
Mar 9, 2025
Vulnerability Reserved
Mar 4, 2025

Credit

Mark Thorson