Bypass/Injection Vulnerability in Apache Camel Products from the Apache Software Foundation
CVE-2025-29891

4.8MEDIUM

Key Information:

Vendor
Apache
Status
Apache Camel
Vendor
CVE Published:
12 March 2025

Badges

📈 Score: 437📰 News Worthy

What is CVE-2025-29891?

CVE-2025-29891 is a bypass/injection vulnerability found in Apache Camel, a versatile open-source integration framework primarily used for routing and transforming data across various systems. This vulnerability arises from flaws in the default incoming header filter of Apache Camel, which can be exploited by attackers to manipulate Camel components, such as camel-bean or camel-exec. If exploited, this can lead to unauthorized alterations in application behavior, posing a serious risk to organizations that utilize Apache Camel in their web applications, especially those exposed directly to the internet.

Technical Details

The vulnerability impacts multiple versions of Apache Camel: specifically, versions from 4.10.0 to before 4.10.2, from 4.8.0 to before 4.8.5, and from 3.10.0 to before 3.22.4. Attackers can exploit this vulnerability by including Camel-specific headers through HTTP requests, which can be either passed as request parameters or included in the payload. This weakness is particularly pronounced in several Camel HTTP components—like camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http—making these vulnerable "out of the box". Users are advised to upgrade to the latest patched versions to remediate the issue.

Potential impact of CVE-2025-29891

  1. Unauthorized Access and Control: If exploited, this vulnerability can allow attackers to execute unauthorized commands within the application, compromising data integrity and leading to potential data breaches.

  2. Altered Application Behaviors: Attackers can manipulate the functioning of various components, leading to unexpected behaviors in applications, which could disrupt business processes and compromise application reliability.

  3. Increased Attack Surface: Given that many installations of Apache Camel are internet-facing, the presence of this vulnerability increases the attack surface, making systems more susceptible to various types of cyber threats, including but not limited to data theft and service disruptions.

Affected Version(s)

Apache Camel 4.10.0 < 4.10.2

Apache Camel 4.8.0 < 4.8.5

Apache Camel 3.10.0 < 3.22.4

News Articles

favicon imageSeclists.org

oss-sec: CVE-2025-29891: Apache Camel: Camel Message Header Injection through request parameters

oss-sec mailing list archives From: Andrea Cosentino &lt;acosentino () apache org&gt; Date: Wed, 12 Mar 2025 14:06:47 +0000 Severity: important Affected versions: - Apache Camel 4.10.0 before 4.10.2 -...

References

https://camel.apache.org/security/CVE-2025-27636.html
related
https://camel.apache.org/security/CVE-2025-29891.html
vendor-advisory

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📰

    First article discovered by Seclists.org

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ryan Barnett from Akamai Security Intelligence Group (SIG)
.