U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

Vulnerability Change Records for CVE-2025-27636

Change History

CVE Modified by Apache Software Foundation 3/09/2025 11:15:35 AM

Action Type Old Value New Value
Changed Description 
Bypass/Injection vulnerability in Apache Camel.

This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3.

Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.

The vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with "Camel", "camel", or "org.apache.camel.". Attackers can bypass this filter by altering the casing of letters. This allows attackers to inject headers which can be exploited to invoke arbitrary methods from the Bean registry and also supports using Simple Expression Language (or OGNL in some cases) as part of the method parameters passed to the bean. It's important to note that only methods in the same bean declared in the bean URI could be invoked.


Mitigation: You can easily work around this in your Camel applications by removing the headers in your Camel routes. There are many ways of doing this, also globally or per route. This means you could use the removeHeaders EIP, to filter out anything like "cAmel, cAMEL" etc, or in general everything not starting with "Camel", "camel" or "org.apache.camel.".
 
Bypass/Injection vulnerability in Apache Camel-Bean component under particular conditions.

This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3.

Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.

This vulnerability is only present in the following situation. The user is using one of the following HTTP Servers via one the of the following Camel components

  *  camel-servlet
  *  camel-jetty
  *  camel-undertow
  *  camel-platform-http
  *  camel-netty-http


and in the route, the exchange will be routed to a camel-bean producer. So ONLY camel-bean component is affected. In particular: 

  *  The bean invocation (is only affected if you use any of the above together with camel-bean component).

  *  The bean that can be called, has more than 1 method implemented.
In these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean.

The vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with "Camel", "camel", or "org.apache.camel.". 


Mitigation: You can easily work around this in your Camel applications by removing the headers in your Camel routes. There are many ways of doing this, also globally or per route. This means you could use the removeHeaders EIP, to filter out anything like "cAmel, cAMEL" etc, or in general everything not starting with "Camel", "camel" or "org.apache.camel.".