CVE-2026-25747

Name of the Vulnerable Software and Affected Versions Apache Camel versions 4.10.0 through 4.10.7 Apache Camel versions 4.14.0 through 4.14.4 Apache Camel versions 4.15.0 through 4.17.9

Description The Apache Camel LevelDB component contains a flaw related to the deserialization of untrusted data. The DefaultLevelDBSerializer class deserializes data from the LevelDB aggregation repository using java.io.ObjectInputStream without implementing appropriate safeguards like ObjectInputFilter or class-loading restrictions. This allows an attacker who can write to the LevelDB database files used by a Camel application to inject a malicious serialized Java object. When this object is deserialized during normal aggregation repository operations, it can lead to arbitrary code execution within the application's context. The component LevelDB uses the function DefaultLevelDBSerializer to deserialize data. The vulnerable parameter is the serialized Java object written to the LevelDB database.

Recommendations Upgrade to Apache Camel version 4.18.0 or later. Upgrade to Apache Camel version 4.10.9 for the 4.10.x LTS releases. Upgrade to Apache Camel version 4.14.5 for the 4.14.x LTS releases.