CVE-2025-27636
Bypass/Injection vulnerability in org.apache.camel:camel-support
What is CVE-2025-27636 About?
This vulnerability is a Bypass/Injection flaw in Apache Camel components, allowing attackers to manipulate internal behavior by injecting specially crafted headers. It permits the invocation of unintended methods or redirection of messages to different queues, primarily affecting Camel HTTP components exposed directly to the internet. Exploitation is relatively easy if an attacker can send custom HTTP headers to a vulnerable Camel application.
Affected Software
- org.apache.camel:camel-support
- >3.10.0, <3.22.4
- >4.0.0-M1, <4.8.5
- >4.9.0, <4.10.2
Technical Details
The vulnerability stems from a flaw in Camel's default incoming header filter, which incorrectly allows certain Camel-specific headers to pass through if they are not explicitly blocked (only 'Camel', 'camel', or 'org.apache.camel.' prefixes are filtered). An attacker can inject custom headers, such as via HTTP requests, which are then processed by Camel components. For instance, in `camel-bean`, this can lead to the invocation of arbitrary methods within the bean component. In `camel-jms`, it allows redirection of messages to different queues. This effectively bypasses the intended processing logic and injects malicious control flow, particularly impacting HTTP-facing components like `camel-servlet`, `camel-jetty`, `camel-undertow`, `camel-platform-http`, and `camel-netty-http`.
What is the Impact of CVE-2025-27636?
Successful exploitation may allow attackers to alter the intended behavior of Camel components, invoke unauthorized methods, redirect messages to unintended destinations, and compromise the integrity and control flow of the application.
What is the Exploitability of CVE-2025-27636?
Exploitation requires an attacker to be able to inject custom headers into incoming requests processed by a vulnerable Apache Camel application. This typically involves remote access to an internet-facing Camel application utilizing vulnerable HTTP components (e.g., `camel-servlet`). The complexity is relatively low, as it primarily involves crafting specific HTTP headers. No specific authentication or privilege requirements are mentioned for the injection itself, meaning unauthenticated users could potentially exploit it if the application exposes vulnerable endpoints. The primary risk factor is direct exposure of Camel HTTP components to untrusted external input, allowing header manipulation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| akamai | Link | PoC for CVE-2025-27636 |
| enochgitgamefied | Link | PoC for CVE-2025-27636 |
What are the Available Fixes for CVE-2025-27636?
Available Upgrade Options
- org.apache.camel:camel-support
- >3.10.0, <3.22.4 → Upgrade to 3.22.4
- org.apache.camel:camel-support
- >4.0.0-M1, <4.8.5 → Upgrade to 4.8.5
- org.apache.camel:camel-support
- >4.9.0, <4.10.2 → Upgrade to 4.10.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://issues.apache.org/jira/browse/CAMEL-21828
- https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC/blob/main/src/main/java/com/example/camel/VulnerableCamel.java
- https://nvd.nist.gov/vuln/detail/CVE-2025-27636
- https://github.com/apache/camel/commit/45a6b74f7f8af8fd58f197566938a9534392a624
- https://lists.apache.org/thread/l3zcg3vts88bmc7w8172wkgw610y693z
- https://camel.apache.org/security/CVE-2025-27636.html
- https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC/blob/main/src/main/java/com/example/camel/VulnerableCamel.java
- https://camel.apache.org/security/CVE-2025-27636.txt.asc
- https://github.com/apache/camel/blob/camel-4.9.0/core/camel-support/src/main/java/org/apache/camel/support/DefaultHeaderFilterStrategy.java
- https://github.com/apache/camel/commit/23a833eec6131a3cdce6e4b1b40b3ac2035b6adf
What are Similar Vulnerabilities to CVE-2025-27636?
Similar Vulnerabilities: CVE-2023-28956 , CVE-2023-28946 , CVE-2023-28950 , CVE-2023-28951 , CVE-2023-38035
