CVE-2025-30177: Apache Camel Missing Header Out Filter Leads to Potential Bypass/Injection Vulnerability
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.32643%
CWE
Published
4/1/2025
Updated
4/1/2025
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.camel:camel-undertow | maven | >= 4.10.0, < 4.10.3 | 4.10.3 |
| org.apache.camel:camel-undertow | maven | >= 4.8.0, < 4.8.6 | 4.8.6 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The security patch adds inbound header filtering to UndertowHeaderFilterStrategy.initialize(). The vulnerability stemmed from this method only setting OUT filter patterns (CAMEL_FILTER_STARTS_WITH) while neglecting IN filters. This allowed malicious headers to bypass validation during request processing. The initialize() method is the root configuration point for header filtering strategies, making it the key vulnerable function visible in component initialization stack traces.