CVE-2025-27636 Information

Description

Bypass/Injection vulnerability in Apache Camel-Bean component under particular conditions.

This issue affects Apache Camel: from 4.10.0 through <= 4.10.1 from 4.8.0 through <= 4.8.4 from 3.10.0 through <= 3.22.3.

Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.

This vulnerability is only present in the following situation. The user is using one of the following HTTP Servers via one the of the following Camel components

camel-servlet
camel-jetty
camel-undertow
camel-platform-http
camel-netty-http

and in the route the exchange will be routed to a camel-bean producer. So ONLY camel-bean component is affected. In particular: 

The bean invocation (is only affected if you use any of the above together with camel-bean component).

The bean that can be called has more than 1 method implemented.

In these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean.

The vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with \Camel\ ## Reference http://www.openwall.com/lists/oss-security/2025/03/09/1 https://camel.apache.org/security/CVE-2025-27636.html https://camel.apache.org/security/CVE-2025-27636.txt.asc https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC/blob/main/src/main/java/com/example/camel/VulnerableCamel.java https://issues.apache.org/jira/browse/CAMEL-21828 https://lists.apache.org/thread/l3zcg3vts88bmc7w8172wkgw610y693z