5.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-27636

CVE-2025-27636: Apache Camel: Camel Message Header Injection via Improper Filtering

Bypass/Injection vulnerability in Apache Camel-Bean component under particular conditions.

This issue affects Apache Camel: from 4.9.0 through <= 4.10.1, from 4.0.0-M1 through <= 4.8.4, from 3.10.0 through <= 3.22.3.

Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.

This vulnerability is only present in the following situation. The user is using one of the following HTTP Servers via one the of the following Camel components

camel-servlet
camel-jetty
camel-undertow
camel-platform-http
camel-netty-http

and in the route, the exchange will be routed to a camel-bean producer. So ONLY camel-bean component is affected. In particular:

The bean invocation (is only affected if you use any of the above together with camel-bean component).
The bean that can be called, has more than 1 method implemented. In these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean.

The vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with "Camel", "camel", or "org.apache.camel.".

Mitigation: You can easily work around this in your Camel applications by removing the headers in your Camel routes. There are many ways of doing this, also globally or per route. This means you could use the removeHeaders EIP, to filter out anything like "cAmel, cAMEL" etc, or in general everything not starting with "Camel", "camel" or "org.apache.camel.".

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-27636

CVE-2025-27636:

5.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.camel:camel-support	maven	>= 3.10.0, < 3.22.4	3.22.4
org.apache.camel:camel-support	maven	>= 4.9.0, < 4.10.2	4.10.2
org.apache.camel:camel-support	maven	>= 4.0.0-M1, < 4.8.5	4.8.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper case handling in Camel's header filtering mechanism. Analysis of the commit diff shows modifications to DefaultHeaderFilterStrategy that added lowercase checks in tryPattern and evalFilterMatch. The original implementation only checked exact case matches for Camel-specific headers (Camel/camel/org.apache.camel), allowing attackers to bypass filters using mixed-case headers. The vulnerable functions are directly responsible for header filtering decisions in HTTP components, and their flawed case sensitivity handling enabled the injection vector when combined with camel-bean components that process unfiltered headers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.6

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-27636: Apache Camel: Camel Message Header Injection via Improper Filtering

CVE-2025-27636:

5.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

CVE-2025-27636: Apache Camel: Camel Message Header Injection via Improper Filtering

5.6

5.6

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI