cbcvebase.
CVE-2025-29891
published 2025-03-12

CVE-2025-29891: Bypass/Injection vulnerability in Apache Camel. This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4…

PriorityP275medium4.8CVSS 3.1
AVNACHPRNUINSUCNILAL
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
72.00%
99.4th percentile
Bypass/Injection vulnerability in Apache Camel. This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component. If you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include parameters in the HTTP requests that are sent to the Camel application that get translated into headers. The headers could be both provided as request parameters for an HTTP methods invocation or as part of the payload of the HTTP methods invocation. All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box. This CVE is related to the CVE-2025-27636: while they have the same root cause and are fixed with the same fix, CVE-2025-27636 was assumed to only be exploitable if an attacker could add malicious HTTP headers, while we have now determined that it is also exploitable via HTTP parameters. Like in CVE-2025-27636, exploitation is only possible if the Camel route uses particular vulnerable components.

Affected

8 ranges
VendorProductVersion rangeFixed in
apachecamel
apachecamel>= 3.0.0 < 4.14.64.14.6
apachecamel>= 3.10.0 < 3.22.43.22.4
apachecamel>= 3.18.0 < 4.14.64.14.6
apachecamel>= 4.10.0 < 4.10.24.10.2
apachecamel>= 4.15.0 < 4.18.14.18.1
apachecamel>= 4.15.0 < 4.18.24.18.2
apachecamel>= 4.8.0 < 4.8.54.8.5

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC
otherCamelExecCommandExecutable
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Apache Camel Message Header Injection in URI (CVE-2025-29891)"; flow:established,to_server; http.uri; content:"CamelExecCommandExecutable|3a 20|"; fast_pattern; nocase; content:!"CamelExecCommandExecutable|3a 20|"; reference:url,github.com/akamai/CVE-2025-27636-Apache-Camel-PoC; reference:cve,2025-29891; classtype:web-application-attack; sid:2060821; rev:1; metadata:affected_product Apache_Camel, attack_target Server, created_at 2025_03_13, cve CVE_2025_29891, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_03_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Inject the header `CamelExecCommandExecutable` (and similar Camel-prefixed headers) via HTTP request parameters or payload body to exploit the missing inbound header filter in camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http.
  • Monitor HTTP URI and body for the string `CamelExecCommandExecutable:` (with colon and space, hex `3a 20`) as a strong indicator of active exploitation attempts against CVE-2025-29891.
  • Exploitation is only possible when the Camel route uses downstream header-driven components such as camel-bean, camel-exec, or camel-sql; focus detection and triage on routes using these components.
  • Palo Alto Networks observed 125,856 probes/scans/exploit attempts in March 2025; treat any inbound HTTP traffic to Camel endpoints with Camel-prefixed parameters as high-priority triage.
  • ·Exploitation requires the Camel route to use a vulnerable downstream component (e.g., camel-bean, camel-exec, camel-sql); routes not using these components are not exploitable even if the header injection succeeds.
  • ·All known Camel HTTP components (camel-servlet, camel-jetty, camel-undertow, camel-platform-http, camel-netty-http) are vulnerable out of the box due to the missing inbound header filter configuration.
  • ·CVE-2025-29891 extends CVE-2025-27636: the same root cause is now confirmed exploitable via HTTP request parameters (not just malicious HTTP headers), broadening the attack surface.

CVSS provenance

nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
ghsa5.6MEDIUM
osv5.6MEDIUM
vulncheck9.8CRITICAL
vendor_redhat5.6MEDIUM
vendor_apache4.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.