Bypass/Injection Vulnerability in Apache Camel's Undertow Component
CVE-2025-30177

Currently unrated

Key Information:

Vendor
Apache
Status
Apache Camel
Vendor
CVE Published:
1 April 2025

Summary

A bypass and injection vulnerability has been identified in the Camel Undertow component of Apache Camel. The issue arises under specific conditions involving the filtering of message headers. The custom header filter strategy primarily applies to the 'out' direction, neglecting the 'in' direction. This oversight enables an attacker to inject Camel-specific headers that could alter the behavior of certain Camel components, such as camel-bean and camel-exec. It is crucial for users to upgrade to version 4.10.3 for the 4.10.x LTS or to 4.8.6 for the 4.8.x LTS to mitigate this security risk.

Affected Version(s)

Apache Camel 4.10.0 < 4.10.3

Apache Camel 4.8.0 < 4.8.6

References

https://camel.apache.org/security/CVE-2025-27636.html
related
https://camel.apache.org/security/CVE-2025-29891.html
related
https://lists.apache.org/thread/dj79zdgw01j337lr9gvyy4sv8...
vendor-advisory

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Mark Thorson of AT&T
Mark Thorson of AT&T
.