cbcvebase.
CVE-2025-27636
published 2025-03-09

CVE-2025-27636: Bypass/Injection vulnerability in Apache Camel components under particular conditions. This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from…

PriorityP278medium5.6CVSS 3.1
AVNACHPRNUINSUCLILAL
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
79.82%
99.6th percentile
Bypass/Injection vulnerability in Apache Camel components under particular conditions. This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, to call another method on the bean, than was coded in the application. In the camel-jms component, then a malicious header can be used to send the message to another queue (on the same broker) than was coded in the application. This could also be seen by using the camel-exec component The attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include malicious HTTP headers in the HTTP requests that are send to the Camel application. All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box. In these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean. In terms of usage of the default header filter strategy the list of components using that is: * camel-activemq * camel-activemq6 * camel-amqp * camel-aws2-sqs * camel-azure-servicebus * camel-cxf-rest * camel-cxf-soap * camel-http * camel-jetty * camel-jms * camel-kafka * camel-knative * camel-mail * camel-nats * camel-netty-http * camel-platform-http * camel-rest * camel-sjms * camel-spring-rabbitmq * camel-stomp * camel-tahu * camel-undertow * camel-xmpp The vulnerability arises due to a bug in the default filtering mechanism that only blocks headers st

Affected

19 ranges
VendorProductVersion rangeFixed in
apachecamel
apachecamel
apachecamel>= 3.0.0 < 4.14.64.14.6
apachecamel>= 3.10.0 < 3.22.43.22.4
apachecamel>= 3.18.0 < 4.14.64.14.6
apachecamel>= 4.10.0 < 4.10.24.10.2
apachecamel>= 4.15.0 < 4.18.14.18.1
apachecamel>= 4.15.0 < 4.18.24.18.2
apachecamel>= 4.8.0 < 4.8.54.8.5
apache_software_foundationapache_camel>= 3.18.0 < 4.14.64.14.6
apache_software_foundationapache_camel>= 4.15.0 < 4.18.24.18.2
openshift-serverless-1kn-eventing-integrations-aws-ddb-streams-source-rhel9
openshift-serverless-1kn-eventing-integrations-aws-s3-sink-rhel9
openshift-serverless-1kn-eventing-integrations-aws-s3-source-rhel9
openshift-serverless-1kn-eventing-integrations-aws-sns-sink-rhel9
openshift-serverless-1kn-eventing-integrations-aws-sqs-sink-rhel9
openshift-serverless-1kn-eventing-integrations-aws-sqs-source-rhel9
openshift-serverless-1kn-eventing-integrations-log-sink-rhel9
openshift-serverless-1kn-eventing-integrations-timer-source-rhel9

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability exploits case-variant Camel-prefixed headers bypassing the default incoming header filter. Monitor HTTP requests for headers starting with mixed-case variants of 'Camel', 'camel', or 'org.apache.camel.' (e.g., 'cAmel', 'cAMEL') that would bypass the default filter.
  • Exploitation is possible via HTTP request parameters (not just headers) — monitor for Camel-specific header names injected as HTTP query parameters or request body parameters in applications using camel-servlet, camel-jetty, camel-undertow, camel-platform-http, or camel-netty-http.
  • Focus detection on downstream vulnerable components: camel-bean (method invocation manipulation), camel-exec (arbitrary command execution), camel-jms (queue redirection), and camel-sql. Alert on injected headers targeting these components.
  • All known Camel HTTP components are vulnerable out of the box — prioritize monitoring ingress traffic to applications using camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http for anomalous Camel-prefixed headers or parameters.
  • Active scanning and exploit attempts were observed in the wild in March 2025 shortly after disclosure. Treat any probe traffic targeting Apache Camel HTTP endpoints with Camel-prefixed headers/parameters as potentially malicious.
  • ·Exploitation requires the Camel route to use a vulnerable downstream component (camel-bean as producer, camel-exec, camel-jms, or camel-sql) AND the exchange must originate from an HTTP-based consumer. Not all Camel deployments are affected.
  • ·The default header filter only blocks the 'out' direction; the 'in' direction filter (setInFilterStartsWith) is not configured, meaning inbound Camel-prefixed headers pass through unfiltered. Detection/mitigation must address the inbound path specifically.
  • ·A broad set of components use the default header filter strategy and are therefore in scope for this vulnerability. Detection rules should cover all listed components.

CVSS provenance

nvdv3.15.6MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
ghsa5.6MEDIUM
osv5.6MEDIUM
vulncheck9.8CRITICAL
vendor_apache5.6MEDIUM
vendor_oracle5.6MEDIUM
vendor_redhat5.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.