CVE-2025-29891

Apache Camel and Affected Versions Apache Camel versions 3.10.0 through 3.22.4 Apache Camel versions 4.8.0 through 4.8.6 Apache Camel versions 4.10.0 through 4.10.3

Description Apache Camel is susceptible to a bypass/injection flaw stemming from its default incoming header filter. This allows attackers to inject Camel-specific headers, potentially altering the behavior of components like camel-bean or camel-exec. Exploitation is possible when Camel applications are directly connected to the internet via HTTP, enabling attackers to include malicious parameters in HTTP requests that are translated into headers. The vulnerability affects several Camel HTTP components, including camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http. The issue is related to CVE-2025-27636, with the current understanding extending exploitability to HTTP parameters in addition to headers. Exploitation requires the use of vulnerable components within the Camel route. Palo Alto Networks reported blocking approximately 126,000 exploitation attempts in March. The camel-undertow component is particularly vulnerable due to its custom header filter strategy, which only filters the "out" direction, leaving the "in" direction open to injection.

Recommendations Upgrade to version 3.22.4 for 3.x releases. Upgrade to version 4.8.6 for 4.8.x releases. Upgrade to version 4.10.3 for 4.10.x LTS releases.