Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions.
This issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6.
Users are recommended to upgrade to version 4.10.3 for 4.10.x LTS and 4.8.6 for 4.8.x LTS.
Camel undertow component is vulnerable to Camel message header injection, in particular the custom header filter strategy used by the component only filter the "out" direction, while it doesn't filter the "in" direction.
This allows an attacker to include Camel specific headers that for some Camel components can alter the behaviour such as the camel-bean component, or the camel-exec component.
CVSS
No CVSS.
References
| Link | Resource |
|---|---|
| https://camel.apache.org/security/CVE-2025-27636.html | Not Applicable |
| https://camel.apache.org/security/CVE-2025-29891.html | Not Applicable |
| https://lists.apache.org/thread/dj79zdgw01j337lr9gvyy4sv8xfyw8py | Mailing List Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
15 Apr 2025, 13:00
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Apache camel
Apache |
|
| CPE | cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:* | |
| References | () https://lists.apache.org/thread/dj79zdgw01j337lr9gvyy4sv8xfyw8py - Mailing List, Vendor Advisory | |
| References | () https://camel.apache.org/security/CVE-2025-29891.html - Not Applicable | |
| References | () https://camel.apache.org/security/CVE-2025-27636.html - Not Applicable |
01 Apr 2025, 19:15
| Type | Values Removed | Values Added |
|---|---|---|
| CWE |
01 Apr 2025, 12:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-04-01 12:15
Updated : 2025-04-15 13:00
NVD link : CVE-2025-30177
Mitre link : CVE-2025-30177
JSON object : View
Products Affected
apache
- camel
CWE
No CWE.