CVE-2025-29891

CWE-16410 documents9 sources
Severity
4.8MEDIUM
EPSS
0.1%
top 68.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache CamelApache Camel
Timeline
PublishedMar 12
Latest updateJul 3

Description

Bypass/Injection vulnerability in Apache Camel. This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component,

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:LExploitability: 2.2 | Impact: 2.5

Affected Packages3 packages

NVDapache/camel3.10.03.22.4+2
Mavenorg.apache.camel:camel-support3.10.03.22.4+2
CVEListV5apache_software_foundation/apache_camel4.10.04.10.2+2

🔴Vulnerability Details

4
GHSA
Apache Camel Message Header Injection through request parameters2025-03-12
OSV
Apache Camel Message Header Injection through request parameters2025-03-12
CVEList
Apache Camel: Camel Message Header Injection through request parameters2025-03-12
VulnCheck
Apache camel Improper Neutralization of Internal Special Elements2025

🔍Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS Apache Camel Message Header Injection in URI (CVE-2025-29891)2025-03-13

📋Vendor Advisories

2
Red Hat
camel-http: org.apache.camel: Apache Camel: Camel Message Header Injection through request parameters2025-03-12
Apache
Apache camel: CVE-2025-29891

🕵️Threat Intelligence

2
Unit42
Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack2025-07-03
Unit42
Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack2025-07-03
CVE-2025-29891 (MEDIUM CVSS 4.8) | Bypass/Injection vulnerability in A | cvebase.io