6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-30177

GHSA ID

GHSA-vq4p-pchp-6g6v

EPSS Score

0.32643%

CWE

CWE-164

Published

4/1/2025

Updated

4/1/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-30177

CVE-2025-30177: Apache Camel Missing Header Out Filter Leads to Potential Bypass/Injection Vulnerability

Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions.

This issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6.

Users are recommended to upgrade to version 4.10.3 for 4.10.x LTS and 4.8.6 for 4.8.x LTS.

Camel undertow component is vulnerable to Camel message header injection, in particular the custom header filter strategy used by the component only filter the "out" direction, while it doesn't filter the "in" direction.

This allows an attacker to include Camel specific headers that for some Camel components can alter the behaviour such as the camel-bean component, or the camel-exec component.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-30177

GHSA ID

GHSA-vq4p-pchp-6g6v

EPSS Score

0.32643%

CWE

CWE-164

Published

4/1/2025

Updated

4/1/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.camel:camel-undertow	maven	>= 4.10.0, < 4.10.3	4.10.3
org.apache.camel:camel-undertow	maven	>= 4.8.0, < 4.8.6	4.8.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The security patch adds inbound header filtering to UndertowHeaderFilterStrategy.initialize(). The vulnerability stemmed from this method only setting OUT filter patterns (CAMEL_FILTER_STARTS_WITH) while neglecting IN filters. This allowed malicious headers to bypass validation during request processing. The initialize() method is the root configuration point for header filtering strategies, making it the key vulnerable function visible in component initialization stack traces.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*yp*ss/Inj**tion vuln*r**ility in *p**** **m*l in **m*l-Un**rtow *ompon*nt un**r p*rti*ul*r *on*itions. T*is issu* *****ts *p**** **m*l: *rom *.**.* ***or* *.**.*, *rom *.*.* ***or* *.*.*. Us*rs *r* r**omm*n*** to up*r*** to v*rsion *.**.* *or *.**

Reasoning

T** s**urity p*t** ***s in*oun* *****r *ilt*rin* to Un**rtow*****r*ilt*rStr*t**y.initi*liz*(). T** vuln*r**ility st*mm** *rom t*is m*t*o* only s*ttin* OUT *ilt*r p*tt*rns (**M*L_*ILT*R_ST*RTS_WIT*) w*il* n**l**tin* IN *ilt*rs. T*is *llow** m*li*ious

6.5

Basic Information

Concerned about an active attack path?

CVE-2025-30177: Apache Camel Missing Header Out Filter Leads to Potential Bypass/Injection Vulnerability

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI