Mark Thorson

**Name of the Vulnerable Software and Affected Versions** Apache Camel versions 4.8.0 through 4.8.5 Apache Camel versions 4.10.0 through 4.10.2 **Description** The issue is related to a Bypass/Injection vulnerability in the Apache Camel-Undertow component. This vulnerability allows an attacker to include Camel specific headers that can alter the behavior of some Camel components, such as the camel-bean component or the camel-exec component. The custom header filter strategy used by the component only filters the "out" direction, while it doesn't filter the "in" direction. **Recommendations** For Apache Camel versions 4.8.0 through 4.8.5, upgrade to version 4.8.6. For Apache Camel versions 4.10.0 through 4.10.2, upgrade to version 4.10.3. As a temporary workaround, consider restricting the use of the vulnerable Camel-Undertow component until a patch is available. Avoid using the custom header filter strategy in the "in" direction to minimize the risk of exploitation.

**Apache Camel and Affected Versions** Apache Camel versions 3.10.0 through 3.22.4 Apache Camel versions 4.8.0 through 4.8.6 Apache Camel versions 4.10.0 through 4.10.3 **Description** Apache Camel is susceptible to a bypass/injection flaw stemming from its default incoming header filter. This allows attackers to inject Camel-specific headers, potentially altering the behavior of components like camel-bean or camel-exec. Exploitation is possible when Camel applications are directly connected to the internet via HTTP, enabling attackers to include malicious parameters in HTTP requests that are translated into headers. The vulnerability affects several Camel HTTP components, including camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http. The issue is related to CVE-2025-27636, with the current understanding extending exploitability to HTTP parameters in addition to headers. Exploitation requires the use of vulnerable components within the Camel route. Palo Alto Networks reported blocking approximately 126,000 exploitation attempts in March. The `camel-undertow` component is particularly vulnerable due to its custom header filter strategy, which only filters the "out" direction, leaving the "in" direction open to injection. **Recommendations** Upgrade to version 3.22.4 for 3.x releases. Upgrade to version 4.8.6 for 4.8.x releases. Upgrade to version 4.10.3 for 4.10.x LTS releases.

**Name of the Vulnerable Software and Affected Versions** Apache Camel versions 3.10.0 through 3.22.3 Apache Camel versions 4.8.0 through 4.8.4 Apache Camel versions 4.9.0 through 4.10.1 Apache Camel versions 4.10.0 through 4.10.1 Apache Camel versions 4.8.0 before 4.8.6 Apache Camel versions 4.10.0 before 4.10.3 Apache Camel versions 3.10.0 before 3.22.4 Apache Camel versions 4.9.0 before 4.10.2 **Description** Apache Camel is affected by a bypass/injection vulnerability in its default incoming header filter. This flaw allows an attacker to include Camel-specific headers, potentially altering the behavior of components like `camel-bean` or `camel-exec`. An attacker could inject custom headers via HTTP requests, potentially invoking unintended methods or redirecting messages to different queues. The vulnerability stems from a case-sensitive header filtering mechanism that only blocks headers starting with "Camel", "camel", or "org.apache.camel.". The `camel-undertow` component is also vulnerable due to its custom header filter strategy, which only filters the "out" direction, leaving the "in" direction unprotected. This allows attackers to inject headers that can manipulate component behavior. Active exploitation has been observed, with over 126,000 exploitation attempts blocked by Palo Alto Networks in March. The vulnerability is related to CVE-2025-27636 and CVE-2025-30177. The affected components include `camel-activemq`, `camel-activemq6`, `camel-amqp`, `camel-aws2-sqs`, `camel-azure-servicebus`, `camel-cxf-rest`, `camel-cxf-soap`, `camel-http`, `camel-jetty`, `camel-jms`, `camel-kafka`, `camel-knative`, `camel-mail`, `camel-nats`, `camel-netty-http`, `camel-platform-http`, `camel-rest`, `camel-sjms`, `camel-spring-rabbitmq`, `camel-stomp`, `camel-tahu`, `camel-undertow`, and `camel-xmpp`. **Recommendations** Upgrade to version 4.10.2 for 4.10.x LTS. Upgrade to version 4.8.5 for 4.8.x LTS. Upgrade to version 3.22.4 for 3.x releases. Upgrade to version 4.10.3 for 4.10.x LTS. Upgrade to version 4.8.6 for 4.8.x LTS. Remove headers in your Camel routes. Use the removeHeaders EIP to filter out unwanted headers. Restrict access to vulnerable components such as `camel-bean` and `camel-exec`.