CVE-2025-29891 - Bypass/Injection Vulnerability in Apache Camel

CVE-2025-29891 is a newly discovered security vulnerability in Apache Camel that enables an attacker to bypass and inject malicious code into Camel's default incoming header filter. The affected versions are as follows:

Exploit Details

The vulnerability is present in the default incoming header filter of Camel components, such as camel-bean and camel-exec. If a Camel application is directly connected to the internet via HTTP or HTTPS, an attacker could include parameters in HTTP requests that get translated into headers, allowing them to alter the behavior of the affected components.

For example, a simple HTTP request to a vulnerable Camel application might look like this

GET /myCamelApp?CamelInjectParam=myInjectedValue HTTP/1.1
Host: www.example.com

The headers could also be provided as part of the payload in the HTTP method invocation

POST /myCamelApp HTTP/1.1
Host: www.example.com
Content-Type: application/json
Content-Length: 71

{
  "CamelInjectParam": "myInjectedValue"
}

It is worth noting that all known Camel HTTP components, such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http, are vulnerable by default.

Relation to CVE-2025-27636

This vulnerability is closely related to CVE-2025-27636, which also stems from the same root cause and is fixed by the same patch. Initially, CVE-2025-27636 was considered only exploitable if an attacker could add malicious HTTP headers. However, it has now been determined that this vulnerability is also exploitable via HTTP parameters.

It is essential for organizations using the vulnerable Camel components to upgrade their versions and employ best practices for securing their applications, especially if they are directly connected to the internet.

For more information on Apache Camel and the affected versions, visit the Apache Camel website and refer to their relevant security advisories.

To stay up to date with the latest CVE information and security advisories, follow the Apache Camel Security Team and regularly check the National Cybersecurity and Communications Integration Center for the most recent advisories and best practices.

Timeline

Published on: 03/12/2025 15:15:40 UTC
Last modified on: 03/13/2025 09:15:14 UTC