cve-2025-29891
Vulnerability from cvelistv5
Published
2025-03-12 14:42
Modified
2025-03-19 13:10
Severity ?
EPSS score ?
0.06% (0.14982)
Summary
Bypass/Injection vulnerability in Apache Camel. This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component. If you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include parameters in the HTTP requests that are sent to the Camel application that get translated into headers.  The headers could be both provided as request parameters for an HTTP methods invocation or as part of the payload of the HTTP methods invocation. All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box. This CVE is related to the CVE-2025-27636: while they have the same root cause and are fixed with the same fix, CVE-2025-27636 was assumed to only be exploitable if an attacker could add malicious HTTP headers, while we have now determined that it is also exploitable via HTTP parameters. Like in CVE-2025-27636, exploitation is only possible if the Camel route uses particular vulnerable components.
References
security@apache.orghttps://camel.apache.org/security/CVE-2025-27636.htmlNot Applicable
security@apache.orghttps://camel.apache.org/security/CVE-2025-29891.htmlVendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoCExploit
Impacted products
Vendor Product Version
Apache Software Foundation Apache Camel Version: 4.10.0   
Version: 4.8.0   
Version: 3.10.0   
Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            metrics: [
               {
                  cvssV3_1: {
                     attackComplexity: "HIGH",
                     attackVector: "NETWORK",
                     availabilityImpact: "LOW",
                     baseScore: 4.8,
                     baseSeverity: "MEDIUM",
                     confidentialityImpact: "NONE",
                     integrityImpact: "LOW",
                     privilegesRequired: "NONE",
                     scope: "UNCHANGED",
                     userInteraction: "NONE",
                     vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
                     version: "3.1",
                  },
               },
               {
                  other: {
                     content: {
                        id: "CVE-2025-29891",
                        options: [
                           {
                              Exploitation: "poc",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-03-19T13:08:59.375705Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-03-19T13:10:01.834Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            references: [
               {
                  tags: [
                     "exploit",
                  ],
                  url: "https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC",
               },
            ],
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               collectionURL: "https://repo.maven.apache.org/maven2",
               defaultStatus: "unaffected",
               packageName: "org.apache.camel:camel",
               product: "Apache Camel",
               vendor: "Apache Software Foundation",
               versions: [
                  {
                     lessThan: "4.10.2",
                     status: "affected",
                     version: "4.10.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "4.8.5",
                     status: "affected",
                     version: "4.8.0",
                     versionType: "semver",
                  },
                  {
                     lessThan: "3.22.4",
                     status: "affected",
                     version: "3.10.0",
                     versionType: "semver",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "finder",
               value: "Citi Cyber Security Operations",
            },
            {
               lang: "en",
               type: "reporter",
               value: "Akamai Security Intelligence Group (SIG)",
            },
            {
               lang: "en",
               type: "finder",
               value: "Mark Thorson of AT&T",
            },
            {
               lang: "en",
               type: "reporter",
               value: "Mark Thorson of AT&T",
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<p>Bypass/Injection vulnerability in Apache Camel.</p><p>This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4.</p><p>Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.</p><p>This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component.</p><p>If you have Camel applications that are directly connected to the internet via HTTP, then an attacker&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">could include parameters in the HTTP requests that are sent to the Camel application that get translated into headers.</span>&nbsp;</p><p>The headers could be both provided as request parameters for an HTTP methods invocation or as part of the payload of the HTTP methods invocation.</p><p><span style=\"background-color: var(--wht);\">All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.</span></p><span style=\"background-color: rgb(255, 255, 255);\">This CVE is related to the CVE-2025-27636: while they have the same root cause and are fixed with the same fix, CVE-2025-27636 was assumed to only be exploitable if an attacker could add malicious HTTP headers, while we have now determined that it is also exploitable via HTTP parameters. Like in CVE-2025-27636, exploitation is only possible if the Camel route uses particular vulnerable components.</span><p></p>",
                  },
               ],
               value: "Bypass/Injection vulnerability in Apache Camel.\n\nThis issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4.\n\nUsers are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.\n\nThis vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component.\n\nIf you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include parameters in the HTTP requests that are sent to the Camel application that get translated into headers. \n\nThe headers could be both provided as request parameters for an HTTP methods invocation or as part of the payload of the HTTP methods invocation.\n\nAll the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.\n\nThis CVE is related to the CVE-2025-27636: while they have the same root cause and are fixed with the same fix, CVE-2025-27636 was assumed to only be exploitable if an attacker could add malicious HTTP headers, while we have now determined that it is also exploitable via HTTP parameters. Like in CVE-2025-27636, exploitation is only possible if the Camel route uses particular vulnerable components.",
            },
         ],
         metrics: [
            {
               other: {
                  content: {
                     text: "important",
                  },
                  type: "Textual description of severity",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-164",
                     description: "CWE-164 Improper Neutralization of Internal Special Elements",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2025-03-13T08:22:07.519Z",
            orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            shortName: "apache",
         },
         references: [
            {
               tags: [
                  "related",
               ],
               url: "https://camel.apache.org/security/CVE-2025-27636.html",
            },
            {
               tags: [
                  "vendor-advisory",
               ],
               url: "https://camel.apache.org/security/CVE-2025-29891.html",
            },
         ],
         source: {
            defect: [
               "CAMEL-21828",
            ],
            discovery: "UNKNOWN",
         },
         title: "Apache Camel: Camel Message Header Injection through request parameters",
         x_generator: {
            engine: "Vulnogram 0.2.0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
      assignerShortName: "apache",
      cveId: "CVE-2025-29891",
      datePublished: "2025-03-12T14:42:59.644Z",
      dateReserved: "2025-03-12T08:48:54.633Z",
      dateUpdated: "2025-03-19T13:10:01.834Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2025-29891\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2025-03-12T15:15:40.997\",\"lastModified\":\"2025-04-02T20:37:07.073\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Bypass/Injection vulnerability in Apache Camel.\\n\\nThis issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4.\\n\\nUsers are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.\\n\\nThis vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component.\\n\\nIf you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include parameters in the HTTP requests that are sent to the Camel application that get translated into headers. \\n\\nThe headers could be both provided as request parameters for an HTTP methods invocation or as part of the payload of the HTTP methods invocation.\\n\\nAll the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.\\n\\nThis CVE is related to the CVE-2025-27636: while they have the same root cause and are fixed with the same fix, CVE-2025-27636 was assumed to only be exploitable if an attacker could add malicious HTTP headers, while we have now determined that it is also exploitable via HTTP parameters. Like in CVE-2025-27636, exploitation is only possible if the Camel route uses particular vulnerable components.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de omisión/inyección en Apache Camel. Este problema afecta a Apache Camel: desde la versión 4.10.0 hasta la 4.10.2, desde la 4.8.0 hasta la 4.8.5, y desde la 3.10.0 hasta la 3.22.4. Se recomienda actualizar a la versión 4.10.2 para la versión 4.10.x LTS, a la 4.8.5 para la versión 4.8.x LTS y a la 3.22.4 para la versión 3.x. Esta vulnerabilidad se presenta en el filtro de encabezados entrantes predeterminado de Camel, que permite a un atacante incluir encabezados específicos de Camel que, en algunos componentes de Camel, pueden alterar el comportamiento, como los componentes camel-bean o camel-exec. Si tiene aplicaciones Camel conectadas directamente a internet mediante HTTP, un atacante podría incluir parámetros en las solicitudes HTTP enviadas a la aplicación Camel que se traducen en encabezados. Los encabezados podrían proporcionarse como parámetros de solicitud para la invocación de métodos HTTP o como parte de la carga útil de dicha invocación. Todos los componentes HTTP conocidos de Camel, como camel-servlet, camel-jetty, camel-undertow, camel-platform-http y camel-netty-http, serían vulnerables de fábrica. Esta CVE está relacionada con la CVE-2025-27636: si bien comparten la misma causa raíz y se corrigen con la misma solución, se asumió que la CVE-2025-27636 solo era explotable si un atacante podía agregar encabezados HTTP maliciosos, mientras que ahora hemos determinado que también es explotable mediante parámetros HTTP. Al igual que en la CVE-2025-27636, la explotación solo es posible si la ruta Camel utiliza componentes vulnerables específicos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.2,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-164\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.10.0\",\"versionEndExcluding\":\"3.22.4\",\"matchCriteriaId\":\"F955C7FA-20EE-44FC-BB7F-2734A731A9DC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.8.0\",\"versionEndExcluding\":\"4.8.5\",\"matchCriteriaId\":\"15914F75-761B-40AD-8489-EA92699F3741\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.10.0\",\"versionEndExcluding\":\"4.10.2\",\"matchCriteriaId\":\"DB496A7D-7E5D-48DA-B49F-4494B7369026\"}]}]}],\"references\":[{\"url\":\"https://camel.apache.org/security/CVE-2025-27636.html\",\"source\":\"security@apache.org\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://camel.apache.org/security/CVE-2025-29891.html\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\"]}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-29891\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-19T13:08:59.375705Z\"}}}], \"references\": [{\"url\": \"https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-12T15:12:14.640Z\"}}], \"cna\": {\"title\": \"Apache Camel: Camel Message Header Injection through request parameters\", \"source\": {\"defect\": [\"CAMEL-21828\"], \"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Citi Cyber Security Operations\"}, {\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Akamai Security Intelligence Group (SIG)\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Mark Thorson of AT&T\"}, {\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Mark Thorson of AT&T\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"important\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Camel\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.10.0\", \"lessThan\": \"4.10.2\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"4.8.0\", \"lessThan\": \"4.8.5\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"3.10.0\", \"lessThan\": \"3.22.4\", \"versionType\": \"semver\"}], \"packageName\": \"org.apache.camel:camel\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://camel.apache.org/security/CVE-2025-27636.html\", \"tags\": [\"related\"]}, {\"url\": \"https://camel.apache.org/security/CVE-2025-29891.html\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Bypass/Injection vulnerability in Apache Camel.\\n\\nThis issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4.\\n\\nUsers are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.\\n\\nThis vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component.\\n\\nIf you have Camel applications that are directly connected to the internet via HTTP, then an attacker\\u00a0could include parameters in the HTTP requests that are sent to the Camel application that get translated into headers.\\u00a0\\n\\nThe headers could be both provided as request parameters for an HTTP methods invocation or as part of the payload of the HTTP methods invocation.\\n\\nAll the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.\\n\\nThis CVE is related to the CVE-2025-27636: while they have the same root cause and are fixed with the same fix, CVE-2025-27636 was assumed to only be exploitable if an attacker could add malicious HTTP headers, while we have now determined that it is also exploitable via HTTP parameters. Like in CVE-2025-27636, exploitation is only possible if the Camel route uses particular vulnerable components.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"<p>Bypass/Injection vulnerability in Apache Camel.</p><p>This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4.</p><p>Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.</p><p>This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component.</p><p>If you have Camel applications that are directly connected to the internet via HTTP, then an attacker&nbsp;<span style=\\\"background-color: rgb(255, 255, 255);\\\">could include parameters in the HTTP requests that are sent to the Camel application that get translated into headers.</span>&nbsp;</p><p>The headers could be both provided as request parameters for an HTTP methods invocation or as part of the payload of the HTTP methods invocation.</p><p><span style=\\\"background-color: var(--wht);\\\">All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.</span></p><span style=\\\"background-color: rgb(255, 255, 255);\\\">This CVE is related to the CVE-2025-27636: while they have the same root cause and are fixed with the same fix, CVE-2025-27636 was assumed to only be exploitable if an attacker could add malicious HTTP headers, while we have now determined that it is also exploitable via HTTP parameters. Like in CVE-2025-27636, exploitation is only possible if the Camel route uses particular vulnerable components.</span><p></p>\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-164\", \"description\": \"CWE-164 Improper Neutralization of Internal Special Elements\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2025-03-13T08:22:07.519Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2025-29891\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-19T13:10:01.834Z\", \"dateReserved\": \"2025-03-12T08:48:54.633Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2025-03-12T14:42:59.644Z\", \"assignerShortName\": \"apache\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.