Bypass/Injection Vulnerability in Apache Camel's Undertow Component
CVE-2025-30177

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Camel
Vendor: CVE Published:; 1 April 2025

What is CVE-2025-30177?

A bypass and injection vulnerability has been identified in the Camel Undertow component of Apache Camel. The issue arises under specific conditions involving the filtering of message headers. The custom header filter strategy primarily applies to the 'out' direction, neglecting the 'in' direction. This oversight enables an attacker to inject Camel-specific headers that could alter the behavior of certain Camel components, such as camel-bean and camel-exec. It is crucial for users to upgrade to version 4.10.3 for the 4.10.x LTS or to 4.8.6 for the 4.8.x LTS to mitigate this security risk.

Affected Version(s)

Apache Camel 4.10.0 < 4.10.3

Apache Camel 4.8.0 < 4.8.6

References

https://camel.apache.org/security/CVE-2025-27636.html

https://camel.apache.org/security/CVE-2025-29891.html

https://lists.apache.org/thread/dj79zdgw01j337lr9gvyy4sv8...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 1, 2025
Vulnerability Reserved
Mar 17, 2025

Credit

Mark Thorson of AT&T