CVE-2025-27636

CVE-2025-27636 is a bypass and injection vulnerability in the default incoming header filter of Apache Camel, affecting versions 4.10.0 through 4.10.1, 4.8.0 through 4.8.4, and 3.10.0 through 3.22.3. The flaw stems from the filter only blocking headers starting with "Camel", "camel", or "org.apache.camel.", enabling attackers to inject Camel-specific headers with case variations that alter component behaviors. Vulnerable components using the default filter include camel-bean, camel-jms, camel-exec, and others such as camel-activemq, camel-http, camel-jetty, camel-kafka, camel-netty-http, camel-platform-http, camel-servlet, camel-undertow, and more.

Attackers can exploit this remotely with no privileges by injecting malicious headers through protocols like HTTP into Camel applications directly exposed to the internet. For instance, HTTP components such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http are vulnerable out-of-the-box, allowing attackers to forge header names that cause camel-bean to invoke unintended methods on beans, camel-jms to redirect messages to different queues on the same broker, or similar manipulations in camel-exec. The CVSS v3.1 base score is 5.6 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L), reflecting moderate impact with high attack complexity.

Apache Camel advisories recommend upgrading to fixed versions: 4.10.2 for the 4.10.x LTS branch, 4.8.5 for 4.8.x LTS, and 3.22.4 for 3.x releases. As a workaround, applications can mitigate by removing suspicious headers in Camel routes using the removeHeaders EIP to filter variations like "cAmel" or "cAMEL", or generally stripping headers not starting with the protected prefixes; this can be applied globally or per route. Details are available in the official advisory at https://camel.apache.org/security/CVE-2025-27636.html and related JIRA ticket CAMEL-21828.