CVE-2025-30177

Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions. This issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6. Users are recommended to upgrade to version 4.10.3 for 4.10.x LTS and 4.8.6 for 4.8.x LTS. Camel undertow component is vulnerable to Camel message header injection, in particular the custom header filter strategy used by the component only filter the "out" direction, while it doesn't filter the "in" direction. This allows an attacker to include Camel specific headers that for some Camel components can alter the behaviour such as the camel-bean component, or the camel-exec component.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://camel.apache.org/security/CVE-2025-27636.html	Not Applicable
https://camel.apache.org/security/CVE-2025-29891.html	Not Applicable
https://lists.apache.org/thread/dj79zdgw01j337lr9gvyy4sv8xfyw8py	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:camel::::::::
	cpe:2.3:a:apache:camel::::::::

History

15 Apr 2025, 13:00

Type	Values Removed	Values Added
References	~~() https://camel.apache.org/security/CVE-2025-27636.html -~~	() https://camel.apache.org/security/CVE-2025-27636.html - Not Applicable
References	~~() https://camel.apache.org/security/CVE-2025-29891.html -~~	() https://camel.apache.org/security/CVE-2025-29891.html - Not Applicable
References	~~() https://lists.apache.org/thread/dj79zdgw01j337lr9gvyy4sv8xfyw8py -~~	() https://lists.apache.org/thread/dj79zdgw01j337lr9gvyy4sv8xfyw8py - Mailing List, Vendor Advisory
CPE		cpe:2.3:a:apache:camel::::::::
First Time		Apache camel Apache
Summary		(es) Vulnerabilidad de omisión/inyección en Apache Camel en el componente Camel-Undertow bajo ciertas condiciones. Este problema afecta a Apache Camel: de la versión 4.10.0 a la 4.10.3, y de la versión 4.8.0 a la 4.8.6. Se recomienda a los usuarios actualizar a la versión 4.10.3 para la versión 4.10.x LTS y a la 4.8.6 para la versión 4.8.x LTS. El componente Camel Undertow es vulnerable a la inyección de encabezados de mensajes de Camel; en particular, la estrategia de filtrado de encabezados personalizada que utiliza el componente solo filtra la dirección de salida, pero no la de entrada. Esto permite a un atacante incluir encabezados específicos de Camel que, en algunos componentes de Camel, pueden alterar el comportamiento, como los componentes camel-bean o camel-exec.

01 Apr 2025, 19:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5

01 Apr 2025, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-01 12:15

Updated : 2025-04-15 13:00

NVD link : CVE-2025-30177

Mitre link : CVE-2025-30177

CVE.ORG link : CVE-2025-30177

JSON object : View

Products Affected

apache

camel

CWE

CWE-164

Improper Neutralization of Internal Special Elements

6.5 /10