Deserialization Vulnerability in Apache Camel LevelDB Component by Apache
CVE-2026-25747

Currently unrated

Key Information:

Vendor

Apache
Status
Apache Camel
Vendor
CVE Published:
23 February 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-25747?

A deserialization vulnerability exists in the LevelDB component of Apache Camel, allowing attackers to inject crafted serialized Java objects. This occurs when the DefaultLevelDBSerializer class deserializes data from the LevelDB repository using java.io.ObjectInputStream without proper filtering or restrictions. If an attacker can write to the LevelDB database files, they can execute arbitrary code during the deserialization process, posing a significant security threat to affected applications.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Apache Camel 4.10.0 < 4.10.9

Apache Camel 4.14.0 < 4.14.5

Apache Camel 4.15.0 < 4.18.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-25747 - Proof of Concept

References

https://github.com/oscerd/CVE-2026-25747
exploit
https://camel.apache.org/security/CVE-2026-25747.html
vendor-advisory

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Andrea Cosentino
Andrea Cosentino
JSON
.