CVE-2025-27636
published 2025-03-09CVE-2025-27636: Bypass/Injection vulnerability in Apache Camel components under particular conditions. This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from…
PriorityP278medium5.6CVSS 3.1
AVNACHPRNUINSUCLILAL
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
79.82%
99.6th percentile
Bypass/Injection vulnerability in Apache Camel components under particular conditions.
This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3.
Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.
This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific
headers that for some Camel components can alter the behaviours such as the camel-bean component, to call another method
on the bean, than was coded in the application. In the camel-jms component, then a malicious header can be used to send
the message to another queue (on the same broker) than was coded in the application. This could also be seen by using the camel-exec component
The attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are
directly connected to the internet via HTTP, then an attacker could include malicious HTTP headers in the HTTP requests
that are send to the Camel application.
All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.
In these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean.
In terms of usage of the default header filter strategy the list of components using that is:
* camel-activemq
* camel-activemq6
* camel-amqp
* camel-aws2-sqs
* camel-azure-servicebus
* camel-cxf-rest
* camel-cxf-soap
* camel-http
* camel-jetty
* camel-jms
* camel-kafka
* camel-knative
* camel-mail
* camel-nats
* camel-netty-http
* camel-platform-http
* camel-rest
* camel-sjms
* camel-spring-rabbitmq
* camel-stomp
* camel-tahu
* camel-undertow
* camel-xmpp
The vulnerability arises due to a bug in the default filtering mechanism that only blocks headers st
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | camel | — | — |
| apache | camel | — | — |
| apache | camel | >= 3.0.0 < 4.14.6 | 4.14.6 |
| apache | camel | >= 3.10.0 < 3.22.4 | 3.22.4 |
| apache | camel | >= 3.18.0 < 4.14.6 | 4.14.6 |
| apache | camel | >= 4.10.0 < 4.10.2 | 4.10.2 |
| apache | camel | >= 4.15.0 < 4.18.1 | 4.18.1 |
| apache | camel | >= 4.15.0 < 4.18.2 | 4.18.2 |
| apache | camel | >= 4.8.0 < 4.8.5 | 4.8.5 |
| apache_software_foundation | apache_camel | >= 3.18.0 < 4.14.6 | 4.14.6 |
| apache_software_foundation | apache_camel | >= 4.15.0 < 4.18.2 | 4.18.2 |
| openshift-serverless-1 | kn-eventing-integrations-aws-ddb-streams-source-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-s3-sink-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-s3-source-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-sns-sink-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-sqs-sink-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-sqs-source-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-log-sink-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-timer-source-rhel9 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability exploits case-variant Camel-prefixed headers bypassing the default incoming header filter. Monitor HTTP requests for headers starting with mixed-case variants of 'Camel', 'camel', or 'org.apache.camel.' (e.g., 'cAmel', 'cAMEL') that would bypass the default filter. ↗
- →Exploitation is possible via HTTP request parameters (not just headers) — monitor for Camel-specific header names injected as HTTP query parameters or request body parameters in applications using camel-servlet, camel-jetty, camel-undertow, camel-platform-http, or camel-netty-http. ↗
- →Focus detection on downstream vulnerable components: camel-bean (method invocation manipulation), camel-exec (arbitrary command execution), camel-jms (queue redirection), and camel-sql. Alert on injected headers targeting these components. ↗
- →All known Camel HTTP components are vulnerable out of the box — prioritize monitoring ingress traffic to applications using camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http for anomalous Camel-prefixed headers or parameters. ↗
- →Active scanning and exploit attempts were observed in the wild in March 2025 shortly after disclosure. Treat any probe traffic targeting Apache Camel HTTP endpoints with Camel-prefixed headers/parameters as potentially malicious. ↗
- ·Exploitation requires the Camel route to use a vulnerable downstream component (camel-bean as producer, camel-exec, camel-jms, or camel-sql) AND the exchange must originate from an HTTP-based consumer. Not all Camel deployments are affected. ↗
- ·The default header filter only blocks the 'out' direction; the 'in' direction filter (setInFilterStartsWith) is not configured, meaning inbound Camel-prefixed headers pass through unfiltered. Detection/mitigation must address the inbound path specifically. ↗
- ·A broad set of components use the default header filter strategy and are therefore in scope for this vulnerability. Detection rules should cover all listed components. ↗
CVSS provenance
nvdv3.15.6MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
ghsa5.6MEDIUM
osv5.6MEDIUM
vulncheck9.8CRITICAL
vendor_apache5.6MEDIUM
vendor_oracle5.6MEDIUM
vendor_redhat5.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8364-hfqj-pwm6: Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering
The CXF and Knative HeaderFilterStrategy implementations (CxfRsHea
ghsa_unreviewed·2026-05-19·CVSS 5.6
CVE-2026-47323 [MEDIUM] CWE-178 GHSA-8364-hfqj-pwm6: Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering
The CXF and Knative HeaderFilterStrategy implementations (CxfRsHea
Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering
The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http) only filter outbound Camel-internal headers via setOutFilterStartsWith, while not configuring inbound filtering via setInFilterStartsWith. As a result, an unauthenticated attacker can inject Camel-internal headers (e.g. CamelExecCommandExecutable, CamelFileName) via HTTP requests to CXF-RS or CXF-SOAP endpoints. When a route forwards messages from these endpoints to header-driven components such as camel-exec or camel-file, the injected headers override configured values, enabling remote code executio
GHSA
Camel-CXF and Camel-Knative Message Header are Vulnerable to Injection via Missing Inbound Filtering
ghsa·2026-05-19·CVSS 5.6
CVE-2026-47323 [MEDIUM] CWE-178 Camel-CXF and Camel-Knative Message Header are Vulnerable to Injection via Missing Inbound Filtering
Camel-CXF and Camel-Knative Message Header are Vulnerable to Injection via Missing Inbound Filtering
Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering
The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http) only filter outbound Camel-internal headers via setOutFilterStartsWith, while not configuring inbound filtering via setInFilterStartsWith. As a result, an unauthenticated attacker can inject Camel-internal headers (e.g. CamelExecCommandExecutable, CamelFileName) via HTTP requests to CXF-RS or CXF-SOAP endpoints. When a route forwards messages from these endpoints to header-driven components such as ca
GHSA
Apache Camel has an incomplete fix for CVE-2025-27636
ghsa·2026-04-27·CVSS 5.6
CVE-2026-40453 [MEDIUM] CWE-178 Apache Camel has an incomplete fix for CVE-2025-27636
Apache Camel has an incomplete fix for CVE-2025-27636
The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategies use case-sensitive String.startsWith('Camel'/'camel') filtering while the Camel Exchange stores headers in a case-insensitive map, an attacker with JMS (or equivalent) producer access to the bro
GHSA
Apache Camel's Camel-Mail component is vulnerable to Camel message header injection
ghsa·2026-04-27·CVSS 5.6
CVE-2026-33454 [MEDIUM] CWE-502 Apache Camel's Camel-Mail component is vulnerable to Camel message header injection
Apache Camel's Camel-Mail component is vulnerable to Camel message header injection
The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via setInFilterStartsWith. As a result, when a Camel application consumes mail through camel-mail (for example via from(\"imap://...\") or from(\"pop3://...\")) the inbound filter check is skipped and Camel-prefixed MIME headers are mapped unfiltered into the Exchange. An attacker who can deliver an email to a mailbox monitored by such a consumer can inject Camel-specific headers that, for some Camel components downstream of the mail consumer (su
GHSA
GHSA-jg2m-9x48-3gvj: The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable'
ghsa_unreviewed·2026-04-27·CVSS 5.6
CVE-2026-40453 [MEDIUM] CWE-178 GHSA-jg2m-9x48-3gvj: The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable'
The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategies use case-sensitive String.startsWith('Camel'/'camel') filtering while the Camel Exchange stores headers in a case-insensitive map, an attacker with JMS (or equivalent) producer access to the broker consumed by a Camel route can inject case-variant C
GHSA
Apache Camel Message Header Injection through request parameters
ghsa·2025-03-12·CVSS 5.6
CVE-2025-29891 [MEDIUM] CWE-164 Apache Camel Message Header Injection through request parameters
Apache Camel Message Header Injection through request parameters
Bypass/Injection vulnerability in Apache Camel.
This issue affects Apache Camel: from 4.9.0 before 4.10.2, from 4.0.0 before 4.8.5, from 3.10.0 before 3.22.4.
Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.
This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component.
If you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include parameters in the HTTP requests that are sent to the Camel application that get translate
OSV
Apache Camel Message Header Injection through request parameters
osv·2025-03-12·CVSS 5.6
CVE-2025-29891 [MEDIUM] Apache Camel Message Header Injection through request parameters
Apache Camel Message Header Injection through request parameters
Bypass/Injection vulnerability in Apache Camel.
This issue affects Apache Camel: from 4.9.0 before 4.10.2, from 4.0.0 before 4.8.5, from 3.10.0 before 3.22.4.
Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.
This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component.
If you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include parameters in the HTTP requests that are sent to the Camel application that get translate
OSV
Apache Camel: Camel Message Header Injection via Improper Filtering
osv·2025-03-09
CVE-2025-27636 [MEDIUM] Apache Camel: Camel Message Header Injection via Improper Filtering
Apache Camel: Camel Message Header Injection via Improper Filtering
Bypass/Injection vulnerability in Apache Camel components under particular conditions.
This issue affects Apache Camel: from 4.9.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3.
Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.
This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, to call another method on the bean, than was coded in the application. In the `camel-jms` component, then a malicious header can be used to send the message to another queue (on the
GHSA
Apache Camel: Camel Message Header Injection via Improper Filtering
ghsa·2025-03-09
CVE-2025-27636 [MEDIUM] CWE-178 Apache Camel: Camel Message Header Injection via Improper Filtering
Apache Camel: Camel Message Header Injection via Improper Filtering
Bypass/Injection vulnerability in Apache Camel components under particular conditions.
This issue affects Apache Camel: from 4.9.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3.
Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.
This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, to call another method on the bean, than was coded in the application. In the `camel-jms` component, then a malicious header can be used to send the message to another queue (on the
VulnCheck
Apache camel Improper Handling of Case Sensitivity
vulncheck·2025·CVSS 5.6
CVE-2025-27636 [MEDIUM] Apache camel Improper Handling of Case Sensitivity
Apache camel Improper Handling of Case Sensitivity
Bypass/Injection vulnerability in Apache Camel components under particular conditions.
This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3.
Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.
This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific
headers that for some Camel components can alter the behaviours such as the camel-bean component, to call another method
on the bean, than was coded in the application. In the camel-jms component, then a malicious header can be used to send
the message to another queue (on the same broker)
VulnCheck
Apache camel Improper Neutralization of Internal Special Elements
vulncheck·2025·CVSS 5.6
CVE-2025-29891 [MEDIUM] Apache camel Improper Neutralization of Internal Special Elements
Apache camel Improper Neutralization of Internal Special Elements
Bypass/Injection vulnerability in Apache Camel.
This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4.
Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.
This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component.
If you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include parameters in the HTTP requests that are sent to the Camel application that get transla
VulnCheck
Apache Tomcat Path Equivalence Vulnerability
vulncheck·2025·CVSS 9.8
CVE-2025-24813 [CRITICAL] CWE-44 Apache Tomcat Path Equivalence Vulnerability
Apache Tomcat Path Equivalence Vulnerability
Apache Tomcat contains a path equivalence vulnerability that allows a remote attacker to execute code, disclose information, or inject malicious content via a partial PUT request.
Affected: Apache Tomcat
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-03-14&host_type=src&vulnerability=cve-2025-24813; https://lab.wallarm.com/one-put-request-to-own-tomcat-cve-2025-24813-rce-is-in-the-wild/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-03-15&host_type=src&vulnerability
Red Hat
Apache Camel: org.apache.camel: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection
vendor_redhat·2026-04-27·CVSS 5.6
CVE-2026-40453 [MEDIUM] CWE-178 Apache Camel: org.apache.camel: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection
Apache Camel: org.apache.camel: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection
A flaw was found in Apache Camel. A remote attacker with Java Message Service (JMS) producer access could exploit a vulnerability in how certain header filter strategies process case-variant internal headers. This discrepancy, where filtering is case-sensitive but header processing is not, allows for the injection of malicious headers. Consequently, this could lead to remote code execution and arbitrary file write on affected Camel routes.
Statement: This Critical flaw in Apache Camel allows remote code execution and arbitrary file write. An attacker with Java Message Service (JMS) producer access can exploit a discrepancy in header processing, where case-variant
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Maintenance (Apache Camel) — CVE-2025-27636
vendor_oracle·2025-07-15·CVSS 5.6
CVE-2025-27636 [MEDIUM] Oracle Oracle Financial Services Applications Risk Matrix: Maintenance (Apache Camel) — CVE-2025-27636
Oracle Oracle Financial Services Applications Risk Matrix: Maintenance (Apache Camel) vulnerability
CVE: CVE-2025-27636
CVSS: 5.6
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2025 (JUL 2025)
Red Hat
camel-http: org.apache.camel: Apache Camel: Camel Message Header Injection through request parameters
vendor_redhat·2025-03-12·CVSS 5.6
CVE-2025-29891 [MEDIUM] CWE-164 camel-http: org.apache.camel: Apache Camel: Camel Message Header Injection through request parameters
camel-http: org.apache.camel: Apache Camel: Camel Message Header Injection through request parameters
Bypass/Injection vulnerability in Apache Camel.
This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4.
Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.
This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component.
If you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include parameters in the HTTP requests that are sent to the Ca
Red Hat
camel-http: org.apache.camel: bypass of header filters via specially crafted response
vendor_redhat·2025-03-10·CVSS 5.6
CVE-2025-27636 [MEDIUM] CWE-644 camel-http: org.apache.camel: bypass of header filters via specially crafted response
camel-http: org.apache.camel: bypass of header filters via specially crafted response
Bypass/Injection vulnerability in Apache Camel components under particular conditions.
This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3.
Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.
This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific
headers that for some Camel components can alter the behaviours such as the camel-bean component, to call another method
on the bean, than was coded in the application. In the camel-jms component, then a malicious header can be used to send
the message to another
Apache
Apache camel: CVE-2025-27636
vendor_apache·CVSS 5.6
CVE-2025-27636 [MEDIUM] Apache camel: CVE-2025-27636
Apache camel: CVE-2025-27636
Apache Camel 4.10.0 before 4.10.2. Apache Camel 4.8.0 before 4.8.5. Apache Camel 3.10.0 before 3.22.4. 3.22.4, 4.8.5 and 4.10.2 MEDIUM Camel Message Header Injection via Improper Filtering 2024
Severity: medium
Suricata
ET WEB_SPECIFIC_APPS Apache Camel Message Header Injection in URI (CVE-2025-29891)
suricata·2025-03-13·CVSS 5.6
CVE-2025-29891 [MEDIUM] ET WEB_SPECIFIC_APPS Apache Camel Message Header Injection in URI (CVE-2025-29891)
ET WEB_SPECIFIC_APPS Apache Camel Message Header Injection in URI (CVE-2025-29891)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Apache Camel Message Header Injection in URI (CVE-2025-29891)"; flow:established,to_server; http.uri; content:"CamelExecCommandExecutable|3a 20|"; fast_pattern; nocase; content:!"CamelExecCommandExecutable|3a 20|"; reference:url,github.com/akamai/CVE-2025-27636-Apache-Camel-PoC; reference:cve,2025-29891; classtype:web-application-attack; sid:2060821; rev:1; metadata:affected_product Apache_Camel, attack_target Server, created_at 2025_03_13, cve CVE_2025_29891, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_03_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_
Suricata
ET WEB_SPECIFIC_APPS Apache Camel Message Header Injection (CVE-2025-27636)
suricata·2025-03-10·CVSS 5.6
CVE-2025-27636 [MEDIUM] ET WEB_SPECIFIC_APPS Apache Camel Message Header Injection (CVE-2025-27636)
ET WEB_SPECIFIC_APPS Apache Camel Message Header Injection (CVE-2025-27636)
Rule: alert http1 $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Apache Camel Message Header Injection (CVE-2025-27636)"; flow:established,to_server; http.header; content:"CamelExecCommandExecutable|3a 20|"; fast_pattern; nocase; content:!"CamelExecCommandExecutable|3a 20|"; reference:url,github.com/akamai/CVE-2025-27636-Apache-Camel-PoC; reference:cve,2025-27636; classtype:web-application-attack; sid:2060778; rev:1; metadata:attack_target Server, created_at 2025_03_10, cve CVE_2025_27636, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_03_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_t
No public exploits indexed.
Bugzilla
CVE-2026-47323 camel: camel-cxf-rest: camel-cxf-transport: camel-knative-http: camel-exec: camel-file: camel-undertow: Apache Camel: Remote Code Execution via header injection due to missing inbound f
bugzilla·2026-05-19·CVSS 5.6
CVE-2026-47323 [MEDIUM] CVE-2026-47323 camel: camel-cxf-rest: camel-cxf-transport: camel-knative-http: camel-exec: camel-file: camel-undertow: Apache Camel: Remote Code Execution via header injection due to missing inbound f
CVE-2026-47323 camel: camel-cxf-rest: camel-cxf-transport: camel-knative-http: camel-exec: camel-file: camel-undertow: Apache Camel: Remote Code Execution via header injection due to missing inbound filtering
Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering
The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http) only filter outbound Camel-internal headers via setOutFilterStartsWith, while not configuring inbound filtering via setInFilterStartsWith. As a result, an unauthenticated attacker can inject Camel-internal headers (e.g. CamelExecCommandExecutable, CamelFileName) via HTTP requests to CXF-RS or CX
Bugzilla
CVE-2026-33454 Apache Camel: Camel-Mail: Camel-Mail: Altered application behavior via header injection
bugzilla·2026-04-27·CVSS 5.6
CVE-2026-33454 [MEDIUM] CVE-2026-33454 Apache Camel: Camel-Mail: Camel-Mail: Altered application behavior via header injection
CVE-2026-33454 Apache Camel: Camel-Mail: Camel-Mail: Altered application behavior via header injection
The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via setInFilterStartsWith. As a result, when a Camel application consumes mail through camel-mail (for example via from(\"imap://...\") or from(\"pop3://...\")) the inbound filter check is skipped and Camel-prefixed MIME headers are mapped unfiltered into the Exchange. An attacker who can deliver an email to a mailbox monitored by such a consumer can inject Camel-specific headers that, for some Camel components downstream of th
Bugzilla
CVE-2026-40453 Apache Camel: org.apache.camel: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection
bugzilla·2026-04-27·CVSS 5.6
CVE-2026-40453 [MEDIUM] CVE-2026-40453 Apache Camel: org.apache.camel: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection
CVE-2026-40453 Apache Camel: org.apache.camel: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection
The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategies use case-sensitive String.startsWith('Camel'/'camel') filtering while the Camel Exchange stores headers in
Bugzilla
CVE-2025-27636 camel-http: org.apache.camel: bypass of header filters via specially crafted response
bugzilla·2025-03-07·CVSS 5.6
CVE-2025-27636 [MEDIUM] CVE-2025-27636 camel-http: org.apache.camel: bypass of header filters via specially crafted response
CVE-2025-27636 camel-http: org.apache.camel: bypass of header filters via specially crafted response
Affected Component: Apache Camel Framework (specifically versions 3.x through 4.10.1)
Vuln Type: Bypass/Injection
The vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with "Camel", "camel", or Attackers can bypass this filter by altering the casing of any letter other than the first one (e.g., "GAme\" or "GAW"). This allows attackers to inject headers like GAmelMeth0dßeanName, which can be exploited to invoke arbitrary methods from the Bean registry@04 and also supports using Simple Expression Language (or OGNL in some cases) as part of the method
parameters passed to the bean (see attached examples). There are quite a
large number of
Unit42
Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack
blogs_unit42·2025-07-03·CVSS 9.8
CVE-2025-24813 [CRITICAL] Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack
Threat Research Center
Threat Research
Vulnerabilities
## Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack
Jun Li
Qiang Liu
Yiheng An
Haozhe Zhang
Published: July 3, 2025
Threat Research
Vulnerabilities
Apache
CVE-2025-24813
CVE-2025-27636
CVE-2025-29891
Remote Code Execution
## Executive Summary
In March 2025, Apache disclosed CVE-2025-24813 , a vulnerability impacting Apache Tomcat. This is a widely used platform that allows Apache web servers to run Java-based web applications. The flaw allows remote code execution, affecting Apache Tomcat versions 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34 and 11.0.0-M1 to 11.0.2.
The same month, Apache revealed two additional vulnerabilities in Apache Camel, a message routing middleware framework. These vulnera
Unit42
Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack
blogs_unit42·2025-07-03·CVSS 9.8
CVE-2025-24813 [CRITICAL] Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack
## Executive Summary
In March 2025, Apache disclosed CVE-2025-24813, a vulnerability impacting Apache Tomcat. This is a widely used platform that allows Apache web servers to run Java-based web applications. The flaw allows remote code execution, affecting Apache Tomcat versions 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34 and 11.0.0-M1 to 11.0.2.
The same month, Apache revealed two additional vulnerabilities in Apache Camel, a message routing middleware framework. These vulnerabilities are CVE-2025-27636 and CVE-2025-29891, two flaws that allow remote code execution, affecting Apache Camel versions 4.10.0 to 4.10.1, 4.8.0 to 4.8.4 and 3.10.0 to 3.22.3.
These vulnerabilities are significant because millions of developers rely on the platform provided by the Apache Foundation. Successful exp
Greynoiseio
NoiseLetter April 2025
blogs_greynoiseio
NoiseLetter April 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://camel.apache.org/security/CVE-2025-27636.htmlhttps://issues.apache.org/jira/browse/CAMEL-21828https://lists.apache.org/thread/l3zcg3vts88bmc7w8172wkgw610y693zhttp://www.openwall.com/lists/oss-security/2025/03/09/1https://camel.apache.org/security/CVE-2025-27636.txt.aschttps://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC/blob/main/src/main/java/com/example/camel/VulnerableCamel.java
2025-03-09
Published
Exploited in the wild