cbcvebase.
CVE-2026-25747
published 2026-02-23

CVE-2026-25747: Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from…

PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.90%
55.2th percentile
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. An attacker who can write to the LevelDB database files used by a Camel application can inject a crafted serialized Java object that, when deserialized during normal aggregation repository operations, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.5, from 4.15.0 before 4.18.0. Users are recommended to upgrade to version 4.18.0, which fixes the issue. For the 4.10.x LTS releases, users are recommended to upgrade to 4.10.9, while for 4.14.x LTS releases, users are recommended to upgrade to 4.14.5

Affected

12 ranges
VendorProductVersion rangeFixed in
apachecamel
apachecamel
apachecamel>= 3.0.0 < 4.14.64.14.6
apachecamel>= 3.0.0 < 4.10.94.10.9
apachecamel>= 4.0.0 < 4.14.74.14.7
apachecamel>= 4.11.0 < 4.14.54.14.5
apachecamel>= 4.15.0 < 4.18.14.18.1
apachecamel>= 4.15.0 < 4.18.04.18.0
apachecamel>= 4.15.0 < 4.18.24.18.2
apache_software_foundationapache_camel_leveldb>= 3.0.0 < 4.10.94.10.9
apache_software_foundationapache_camel_leveldb>= 4.14.0 < 4.14.54.14.5
apache_software_foundationapache_camel_leveldb>= 4.15.0 < 4.18.04.18.0

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerable class: DefaultLevelDBSerializer in camel-leveldb deserializes data via java.io.ObjectInputStream without ObjectInputFilter — monitor for unexpected deserialization gadget chain execution originating from LevelDB aggregation repository operations
  • Attack vector requires write access to LevelDB database files on disk — monitor for unexpected file writes to LevelDB data directories used by Camel applications
  • Trigger point is during aggregation repository operations (get/recover) — anomalous process spawning or network callbacks from a Camel process during aggregation operations should be investigated as potential deserialization exploitation
  • Affected Maven artifact is org.apache.camel:camel-leveldb — scan deployed JARs/WARs for this artifact in versions from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.5, from 4.15.0 before 4.18.0
  • Same deserialization vulnerability class as CVE-2024-22369 and CVE-2024-23114 — existing detection rules for those CVEs (e.g., Java deserialization gadget chains in Camel components) are directly applicable here
  • ·No ObjectInputFilter or class-loading restriction is applied — the vulnerable code path uses raw java.io.ObjectInputStream.readObject(), meaning any serialized Java object written to the LevelDB store will be deserialized without validation
  • ·Red Hat has marked camel-leveldb in Red Hat build of Apache Camel for Spring Boot 4 and Red Hat Fuse 7 as 'Will not fix' — deployments on these platforms remain permanently vulnerable unless users migrate
  • ·Affected version ranges differ between sources: NVD/Wiz cite 4.10.0–4.10.8, 4.14.0–4.14.5, 4.15.0–4.18.0; Apache security page cites from 3.0.0 before 4.10.9, 4.11.0 before 4.14.5, 4.15.0 before 4.18.0 — use the broader range (from 3.0.0) for conservative detection coverage

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ghsa7.8HIGH
vendor_apache8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.