CVE-2025-29891
published 2025-03-12CVE-2025-29891: Bypass/Injection vulnerability in Apache Camel. This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4…
PriorityP275medium4.8CVSS 3.1
AVNACHPRNUINSUCNILAL
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
72.00%
99.4th percentile
Bypass/Injection vulnerability in Apache Camel.
This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4.
Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.
This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component.
If you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include parameters in the HTTP requests that are sent to the Camel application that get translated into headers.
The headers could be both provided as request parameters for an HTTP methods invocation or as part of the payload of the HTTP methods invocation.
All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.
This CVE is related to the CVE-2025-27636: while they have the same root cause and are fixed with the same fix, CVE-2025-27636 was assumed to only be exploitable if an attacker could add malicious HTTP headers, while we have now determined that it is also exploitable via HTTP parameters. Like in CVE-2025-27636, exploitation is only possible if the Camel route uses particular vulnerable components.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | camel | — | — |
| apache | camel | >= 3.0.0 < 4.14.6 | 4.14.6 |
| apache | camel | >= 3.10.0 < 3.22.4 | 3.22.4 |
| apache | camel | >= 3.18.0 < 4.14.6 | 4.14.6 |
| apache | camel | >= 4.10.0 < 4.10.2 | 4.10.2 |
| apache | camel | >= 4.15.0 < 4.18.1 | 4.18.1 |
| apache | camel | >= 4.15.0 < 4.18.2 | 4.18.2 |
| apache | camel | >= 4.8.0 < 4.8.5 | 4.8.5 |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC
otherCamelExecCommandExecutable
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Apache Camel Message Header Injection in URI (CVE-2025-29891)"; flow:established,to_server; http.uri; content:"CamelExecCommandExecutable|3a 20|"; fast_pattern; nocase; content:!"CamelExecCommandExecutable|3a 20|"; reference:url,github.com/akamai/CVE-2025-27636-Apache-Camel-PoC; reference:cve,2025-29891; classtype:web-application-attack; sid:2060821; rev:1; metadata:affected_product Apache_Camel, attack_target Server, created_at 2025_03_13, cve CVE_2025_29891, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_03_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Inject the header `CamelExecCommandExecutable` (and similar Camel-prefixed headers) via HTTP request parameters or payload body to exploit the missing inbound header filter in camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http. ↗
- →Monitor HTTP URI and body for the string `CamelExecCommandExecutable:` (with colon and space, hex `3a 20`) as a strong indicator of active exploitation attempts against CVE-2025-29891.
- →Exploitation is only possible when the Camel route uses downstream header-driven components such as camel-bean, camel-exec, or camel-sql; focus detection and triage on routes using these components. ↗
- →Palo Alto Networks observed 125,856 probes/scans/exploit attempts in March 2025; treat any inbound HTTP traffic to Camel endpoints with Camel-prefixed parameters as high-priority triage. ↗
- ·Exploitation requires the Camel route to use a vulnerable downstream component (e.g., camel-bean, camel-exec, camel-sql); routes not using these components are not exploitable even if the header injection succeeds. ↗
- ·All known Camel HTTP components (camel-servlet, camel-jetty, camel-undertow, camel-platform-http, camel-netty-http) are vulnerable out of the box due to the missing inbound header filter configuration. ↗
- ·CVE-2025-29891 extends CVE-2025-27636: the same root cause is now confirmed exploitable via HTTP request parameters (not just malicious HTTP headers), broadening the attack surface. ↗
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
ghsa5.6MEDIUM
osv5.6MEDIUM
vulncheck9.8CRITICAL
vendor_redhat5.6MEDIUM
vendor_apache4.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8364-hfqj-pwm6: Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering
The CXF and Knative HeaderFilterStrategy implementations (CxfRsHea
ghsa_unreviewed·2026-05-19·CVSS 5.6
CVE-2026-47323 [MEDIUM] CWE-178 GHSA-8364-hfqj-pwm6: Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering
The CXF and Knative HeaderFilterStrategy implementations (CxfRsHea
Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering
The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http) only filter outbound Camel-internal headers via setOutFilterStartsWith, while not configuring inbound filtering via setInFilterStartsWith. As a result, an unauthenticated attacker can inject Camel-internal headers (e.g. CamelExecCommandExecutable, CamelFileName) via HTTP requests to CXF-RS or CXF-SOAP endpoints. When a route forwards messages from these endpoints to header-driven components such as camel-exec or camel-file, the injected headers override configured values, enabling remote code executio
GHSA
Camel-CXF and Camel-Knative Message Header are Vulnerable to Injection via Missing Inbound Filtering
ghsa·2026-05-19·CVSS 5.6
CVE-2026-47323 [MEDIUM] CWE-178 Camel-CXF and Camel-Knative Message Header are Vulnerable to Injection via Missing Inbound Filtering
Camel-CXF and Camel-Knative Message Header are Vulnerable to Injection via Missing Inbound Filtering
Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering
The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http) only filter outbound Camel-internal headers via setOutFilterStartsWith, while not configuring inbound filtering via setInFilterStartsWith. As a result, an unauthenticated attacker can inject Camel-internal headers (e.g. CamelExecCommandExecutable, CamelFileName) via HTTP requests to CXF-RS or CXF-SOAP endpoints. When a route forwards messages from these endpoints to header-driven components such as ca
GHSA
Apache Camel's Camel-Mail component is vulnerable to Camel message header injection
ghsa·2026-04-27·CVSS 5.6
CVE-2026-33454 [MEDIUM] CWE-502 Apache Camel's Camel-Mail component is vulnerable to Camel message header injection
Apache Camel's Camel-Mail component is vulnerable to Camel message header injection
The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via setInFilterStartsWith. As a result, when a Camel application consumes mail through camel-mail (for example via from(\"imap://...\") or from(\"pop3://...\")) the inbound filter check is skipped and Camel-prefixed MIME headers are mapped unfiltered into the Exchange. An attacker who can deliver an email to a mailbox monitored by such a consumer can inject Camel-specific headers that, for some Camel components downstream of the mail consumer (su
GHSA
Apache Camel Message Header Injection through request parameters
ghsa·2025-03-12·CVSS 5.6
CVE-2025-29891 [MEDIUM] CWE-164 Apache Camel Message Header Injection through request parameters
Apache Camel Message Header Injection through request parameters
Bypass/Injection vulnerability in Apache Camel.
This issue affects Apache Camel: from 4.9.0 before 4.10.2, from 4.0.0 before 4.8.5, from 3.10.0 before 3.22.4.
Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.
This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component.
If you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include parameters in the HTTP requests that are sent to the Camel application that get translate
OSV
Apache Camel Message Header Injection through request parameters
osv·2025-03-12·CVSS 5.6
CVE-2025-29891 [MEDIUM] Apache Camel Message Header Injection through request parameters
Apache Camel Message Header Injection through request parameters
Bypass/Injection vulnerability in Apache Camel.
This issue affects Apache Camel: from 4.9.0 before 4.10.2, from 4.0.0 before 4.8.5, from 3.10.0 before 3.22.4.
Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.
This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component.
If you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include parameters in the HTTP requests that are sent to the Camel application that get translate
VulnCheck
Apache camel Improper Handling of Case Sensitivity
vulncheck·2025·CVSS 5.6
CVE-2025-27636 [MEDIUM] Apache camel Improper Handling of Case Sensitivity
Apache camel Improper Handling of Case Sensitivity
Bypass/Injection vulnerability in Apache Camel components under particular conditions.
This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3.
Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.
This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific
headers that for some Camel components can alter the behaviours such as the camel-bean component, to call another method
on the bean, than was coded in the application. In the camel-jms component, then a malicious header can be used to send
the message to another queue (on the same broker)
VulnCheck
Apache camel Improper Neutralization of Internal Special Elements
vulncheck·2025·CVSS 5.6
CVE-2025-29891 [MEDIUM] Apache camel Improper Neutralization of Internal Special Elements
Apache camel Improper Neutralization of Internal Special Elements
Bypass/Injection vulnerability in Apache Camel.
This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4.
Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.
This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component.
If you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include parameters in the HTTP requests that are sent to the Camel application that get transla
VulnCheck
Apache Tomcat Path Equivalence Vulnerability
vulncheck·2025·CVSS 9.8
CVE-2025-24813 [CRITICAL] CWE-44 Apache Tomcat Path Equivalence Vulnerability
Apache Tomcat Path Equivalence Vulnerability
Apache Tomcat contains a path equivalence vulnerability that allows a remote attacker to execute code, disclose information, or inject malicious content via a partial PUT request.
Affected: Apache Tomcat
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-03-14&host_type=src&vulnerability=cve-2025-24813; https://lab.wallarm.com/one-put-request-to-own-tomcat-cve-2025-24813-rce-is-in-the-wild/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-03-15&host_type=src&vulnerability
Red Hat
camel-http: org.apache.camel: Apache Camel: Camel Message Header Injection through request parameters
vendor_redhat·2025-03-12·CVSS 5.6
CVE-2025-29891 [MEDIUM] CWE-164 camel-http: org.apache.camel: Apache Camel: Camel Message Header Injection through request parameters
camel-http: org.apache.camel: Apache Camel: Camel Message Header Injection through request parameters
Bypass/Injection vulnerability in Apache Camel.
This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4.
Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.
This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component.
If you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include parameters in the HTTP requests that are sent to the Ca
Apache
Apache camel: CVE-2025-29891
vendor_apache·CVSS 4.8
CVE-2025-29891 [HIGH] Apache camel: CVE-2025-29891
Apache camel: CVE-2025-29891
Apache Camel 4.10.0 before 4.10.2. Apache Camel 4.8.0 before 4.8.5. Apache Camel 3.10.0 before 3.22.4. 3.22.4, 4.8.5 and 4.10.2 HIGH Camel Message Header Injection through request parameters
Severity: high
Suricata
ET WEB_SPECIFIC_APPS Apache Camel Message Header Injection in URI (CVE-2025-29891)
suricata·2025-03-13·CVSS 5.6
CVE-2025-29891 [MEDIUM] ET WEB_SPECIFIC_APPS Apache Camel Message Header Injection in URI (CVE-2025-29891)
ET WEB_SPECIFIC_APPS Apache Camel Message Header Injection in URI (CVE-2025-29891)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Apache Camel Message Header Injection in URI (CVE-2025-29891)"; flow:established,to_server; http.uri; content:"CamelExecCommandExecutable|3a 20|"; fast_pattern; nocase; content:!"CamelExecCommandExecutable|3a 20|"; reference:url,github.com/akamai/CVE-2025-27636-Apache-Camel-PoC; reference:cve,2025-29891; classtype:web-application-attack; sid:2060821; rev:1; metadata:affected_product Apache_Camel, attack_target Server, created_at 2025_03_13, cve CVE_2025_29891, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_03_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_
No public exploits indexed.
Unit42
Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack
blogs_unit42·2025-07-03·CVSS 9.8
CVE-2025-24813 [CRITICAL] Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack
Threat Research Center
Threat Research
Vulnerabilities
## Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack
Jun Li
Qiang Liu
Yiheng An
Haozhe Zhang
Published: July 3, 2025
Threat Research
Vulnerabilities
Apache
CVE-2025-24813
CVE-2025-27636
CVE-2025-29891
Remote Code Execution
## Executive Summary
In March 2025, Apache disclosed CVE-2025-24813 , a vulnerability impacting Apache Tomcat. This is a widely used platform that allows Apache web servers to run Java-based web applications. The flaw allows remote code execution, affecting Apache Tomcat versions 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34 and 11.0.0-M1 to 11.0.2.
The same month, Apache revealed two additional vulnerabilities in Apache Camel, a message routing middleware framework. These vulnera
Unit42
Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack
blogs_unit42·2025-07-03·CVSS 9.8
CVE-2025-24813 [CRITICAL] Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack
## Executive Summary
In March 2025, Apache disclosed CVE-2025-24813, a vulnerability impacting Apache Tomcat. This is a widely used platform that allows Apache web servers to run Java-based web applications. The flaw allows remote code execution, affecting Apache Tomcat versions 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34 and 11.0.0-M1 to 11.0.2.
The same month, Apache revealed two additional vulnerabilities in Apache Camel, a message routing middleware framework. These vulnerabilities are CVE-2025-27636 and CVE-2025-29891, two flaws that allow remote code execution, affecting Apache Camel versions 4.10.0 to 4.10.1, 4.8.0 to 4.8.4 and 3.10.0 to 3.22.3.
These vulnerabilities are significant because millions of developers rely on the platform provided by the Apache Foundation. Successful exp
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
Greynoiseio
NoiseLetter July 2025
blogs_greynoiseio
NoiseLetter July 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bugzilla
CVE-2026-47323 camel: camel-cxf-rest: camel-cxf-transport: camel-knative-http: camel-exec: camel-file: camel-undertow: Apache Camel: Remote Code Execution via header injection due to missing inbound f
bugzilla·2026-05-19·CVSS 5.6
CVE-2026-47323 [MEDIUM] CVE-2026-47323 camel: camel-cxf-rest: camel-cxf-transport: camel-knative-http: camel-exec: camel-file: camel-undertow: Apache Camel: Remote Code Execution via header injection due to missing inbound f
CVE-2026-47323 camel: camel-cxf-rest: camel-cxf-transport: camel-knative-http: camel-exec: camel-file: camel-undertow: Apache Camel: Remote Code Execution via header injection due to missing inbound filtering
Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering
The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http) only filter outbound Camel-internal headers via setOutFilterStartsWith, while not configuring inbound filtering via setInFilterStartsWith. As a result, an unauthenticated attacker can inject Camel-internal headers (e.g. CamelExecCommandExecutable, CamelFileName) via HTTP requests to CXF-RS or CX
Bugzilla
CVE-2026-33454 Apache Camel: Camel-Mail: Camel-Mail: Altered application behavior via header injection
bugzilla·2026-04-27·CVSS 5.6
CVE-2026-33454 [MEDIUM] CVE-2026-33454 Apache Camel: Camel-Mail: Camel-Mail: Altered application behavior via header injection
CVE-2026-33454 Apache Camel: Camel-Mail: Camel-Mail: Altered application behavior via header injection
The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via setInFilterStartsWith. As a result, when a Camel application consumes mail through camel-mail (for example via from(\"imap://...\") or from(\"pop3://...\")) the inbound filter check is skipped and Camel-prefixed MIME headers are mapped unfiltered into the Exchange. An attacker who can deliver an email to a mailbox monitored by such a consumer can inject Camel-specific headers that, for some Camel components downstream of th
2025-03-12
Published
Exploited in the wild