Moderate severityNVD Advisory· Published Mar 9, 2025· Updated Feb 26, 2026

Apache Camel: Camel Message Header Injection via Improper Filtering

CVE-2025-27636

Description

Bypass/Injection vulnerability in Apache Camel components under particular conditions.

This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3.

Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases.

This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific

headers that for some Camel components can alter the behaviours such as the camel-bean component, to call another method

on the bean, than was coded in the application. In the camel-jms component, then a malicious header can be used to send

the message to another queue (on the same broker) than was coded in the application. This could also be seen by using the camel-exec component

The attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are

directly connected to the internet via HTTP, then an attacker could include malicious HTTP headers in the HTTP requests

that are send to the Camel application.

All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box.

In these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean.

In terms of usage of the default header filter strategy the list of components using that is:

camel-activemq
camel-activemq6
camel-amqp
camel-aws2-sqs
camel-azure-servicebus
camel-cxf-rest
camel-cxf-soap
camel-http
camel-jetty
camel-jms
camel-kafka
camel-knative
camel-mail
camel-nats
camel-netty-http
camel-platform-http
camel-rest
camel-sjms
camel-spring-rabbitmq
camel-stomp
camel-tahu
camel-undertow
camel-xmpp

The vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with "Camel", "camel", or "org.apache.camel.".

Mitigation: You can easily work around this in your Camel applications by removing the headers in your Camel routes. There are many ways of doing this, also globally or per route. This means you could use the removeHeaders EIP, to filter out anything like "cAmel, cAMEL" etc, or in general everything not starting with "Camel", "camel" or "org.apache.camel.".

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Camel's default header filter fails to block crafted headers, enabling method/queue injection in HTTP-exposed components.

Root

Cause CVE-2025-27636 is a Bypass/Injection vulnerability in Apache Camel's DefaultHeaderFilterStrategy. The filter, intended to strip Camel-specific headers from incoming messages, contains a flaw that allows specially-crafted header names to bypass the filter [1]. This affects Camel versions 4.10.0–4.10.1, 4.8.0–4.8.4, and 3.10.0–3.22.3 [1].

Attack

Surface & Exploitation The vulnerability is exploitable via HTTP-based Camel components (e.g., camel-servlet, camel-jetty, camel-undertow, camel-platform-http, camel-netty-http) when the application is directly exposed to the internet [1]. An attacker can inject malicious HTTP headers containing Camel-specific header names. For the camel-bean component, this can force invocation of unintended methods on a bean, deviating from the intended route logic [1]. For camel-jms, a crafted header can redirect messages to an unintended queue on the same broker [1]. The camel-exec component is also affected [1].

Impact

Successful exploitation allows an attacker to alter the behavior of Camel routes, potentially leading to arbitrary method calls on beans, message misdirection, or execution of unintended commands [1]. The impact is constrained to operations within the existing application and infrastructure (same bean methods, same JMS broker), but can bypass application-level controls [1].

Remediation

Apache has released fixed versions: 4.10.2 (4.10.x LTS), 4.8.5 (4.8.x LTS), and 3.22.4 (3.x) [1]. The fix addresses the filter bypass by ensuring proper case-insensitive header filtering [2][3][4]. All users of affected versions should upgrade immediately.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.camel:camel-supportMaven	>= 3.10.0, < 3.22.4	3.22.4
org.apache.camel:camel-supportMaven	>= 4.0.0-M1, < 4.8.5	4.8.5
org.apache.camel:camel-supportMaven	>= 4.9.0, < 4.10.2	4.10.2

Affected products

Apache/Camelllm-fuzzy
Range: >=4.10.0 <=4.10.1, >=4.8.0 <=4.8.4, >=3.10.0 <=3.22.3
ghsa-coords
pkg:maven/org.apache.camel/camel-support
Range: >= 3.10.0, < 3.22.4
Apache/Apache Camelcpe-rescue
Range: 4.10.0

Patches

45a6b74f7f8a

CAMEL-21828: Fix DefaultHeaderFilterStrategy when filtering in lower-case mode (#17362)

https://github.com/apache/camelClaus IbsenMar 5, 2025via ghsa

commit

3 files changed · +97 −0

components/camel-platform-http/src/test/java/org/apache/camel/component/platform/http/PlatformHttpCamelHeadersTest.java+60 −0 added

@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.camel.component.platform.http;
+
+import org.apache.camel.Exchange;
+import org.apache.camel.builder.RouteBuilder;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+import static io.restassured.RestAssured.given;
+
+public class PlatformHttpCamelHeadersTest extends AbstractPlatformHttpTest {
+
+    @Test
+    void testFilterCamelHeaders() {
+        given()
+                .header("Accept", "application/json")
+                .header("User-Agent", "User-Agent-Camel")
+                .header("caMElHttpResponseCode", "503")
+                .port(port)
+                .expect()
+                .statusCode(200)
+                .header("Accept", (String) null)
+                .header("User-Agent", (String) null)
+                .header("CamelHttpResponseCode", (String) null)
+                .when()
+                .get("/get");
+    }
+
+    @Override
+    protected RouteBuilder routes() {
+        return new RouteBuilder() {
+            @Override
+            public void configure() {
+                from("platform-http:/get")
+                        .process(e -> {
+                            Assertions.assertEquals("application/json", e.getMessage().getHeader("Accept"));
+                            Assertions.assertEquals("User-Agent-Camel", e.getMessage().getHeader("User-Agent"));
+                            Assertions.assertNull(e.getMessage().getHeader(Exchange.HTTP_RESPONSE_CODE));
+                        })
+                        .setBody().constant("");
+            }
+        };
+    }
+
+}

core/camel-core/src/test/java/org/apache/camel/impl/DefaultHeaderFilterStrategyTest.java+23 −0 modified

@@ -25,6 +25,7 @@
 import org.apache.camel.support.DefaultHeaderFilterStrategy;
 import org.junit.jupiter.api.Test;
 
+import static org.apache.camel.support.DefaultHeaderFilterStrategy.CAMEL_FILTER_PATTERN;
 import static org.apache.camel.support.DefaultHeaderFilterStrategy.CAMEL_FILTER_STARTS_WITH;
 import static org.junit.jupiter.api.Assertions.*;
 
@@ -175,4 +176,26 @@ public void testInStartsWith() {
         assertTrue(comp.applyFilterToExternalHeaders("org.apache.camel.component.jetty.session", "true", exchange));
     }
 
+    @Test
+    public void testInStartsWithLowerCase() {
+        DefaultHeaderFilterStrategy comp = new DefaultHeaderFilterStrategy();
+        comp.setLowerCase(true);
+
+        comp.setInFilterStartsWith(CAMEL_FILTER_STARTS_WITH);
+
+        Exchange exchange = new DefaultExchange(context);
+        exchange.getIn().setHeader("bar", 123);
+        exchange.getIn().setHeader("foo", "cheese");
+        exchange.getIn().setHeader("caMElVersion", "3.7");
+        exchange.getIn().setHeader("org.apache.CAMEL.component.jetty.session", "true");
+
+        assertTrue(comp.applyFilterToExternalHeaders("caMElVersion", 123, exchange));
+        assertTrue(comp.applyFilterToExternalHeaders("cAmelResponseCode", 503, exchange));
+
+        assertFalse(comp.applyFilterToExternalHeaders("bar", 123, exchange));
+        assertFalse(comp.applyFilterToExternalHeaders("foo", "cheese", exchange));
+        assertTrue(comp.applyFilterToExternalHeaders("CamelVersion", "3.7", exchange));
+        assertTrue(comp.applyFilterToExternalHeaders("org.apache.camel.component.jetty.session", "true", exchange));
+    }
+
 }

core/camel-support/src/main/java/org/apache/camel/support/DefaultHeaderFilterStrategy.java+14 −0 modified

@@ -314,6 +314,13 @@ private boolean doFiltering(Direction direction, String headerName, Object heade
                 if (match) {
                     return filterOnMatch;
                 }
+                if (isLowerCase()) {
+                    String lower = headerName.toLowerCase(Locale.ENGLISH);
+                    match = lower.startsWith(s);
+                    if (match) {
+                        return filterOnMatch;
+                    }
+                }
             }
         }
 
@@ -325,6 +332,13 @@ private boolean doFiltering(Direction direction, String headerName, Object heade
                 if (match) {
                     return filterOnMatch;
                 }
+                if (isLowerCase()) {
+                    String lower = headerName.toLowerCase(Locale.ENGLISH);
+                    match = lower.startsWith("camel") || lower.startsWith("org.apache.camel.");
+                    if (match) {
+                        return true;
+                    }
+                }
             } else if (pattern.matcher(headerName).matches()) {
                 return filterOnMatch;
             }

23a833eec613

CAMEL-21828: Fix DefaultHeaderFilterStrategy when filtering in lower-case mode. (#17351)

https://github.com/apache/camelClaus IbsenMar 4, 2025via ghsa

commit

3 files changed · +107 −7

components/camel-platform-http/src/test/java/org/apache/camel/component/platform/http/PlatformHttpCamelHeadersTest.java+60 −0 added

@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.camel.component.platform.http;
+
+import org.apache.camel.Exchange;
+import org.apache.camel.builder.RouteBuilder;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+import static io.restassured.RestAssured.given;
+
+public class PlatformHttpCamelHeadersTest extends AbstractPlatformHttpTest {
+
+    @Test
+    void testFilterCamelHeaders() {
+        given()
+                .header("Accept", "application/json")
+                .header("User-Agent", "User-Agent-Camel")
+                .header("caMElHttpResponseCode", "503")
+                .port(port)
+                .expect()
+                .statusCode(200)
+                .header("Accept", (String) null)
+                .header("User-Agent", (String) null)
+                .header("CamelHttpResponseCode", (String) null)
+                .when()
+                .get("/get");
+    }
+
+    @Override
+    protected RouteBuilder routes() {
+        return new RouteBuilder() {
+            @Override
+            public void configure() {
+                from("platform-http:/get")
+                        .process(e -> {
+                            Assertions.assertEquals("application/json", e.getMessage().getHeader("Accept"));
+                            Assertions.assertEquals("User-Agent-Camel", e.getMessage().getHeader("User-Agent"));
+                            Assertions.assertNull(e.getMessage().getHeader(Exchange.HTTP_RESPONSE_CODE));
+                        })
+                        .setBody().constant("");
+            }
+        };
+    }
+
+}

core/camel-core/src/test/java/org/apache/camel/impl/DefaultHeaderFilterStrategyTest.java+22 −0 modified

@@ -175,4 +175,26 @@ public void testInStartsWith() {
         assertTrue(comp.applyFilterToExternalHeaders("org.apache.camel.component.jetty.session", "true", exchange));
     }
 
+    @Test
+    public void testInStartsWithLowerCase() {
+        DefaultHeaderFilterStrategy comp = new DefaultHeaderFilterStrategy();
+        comp.setLowerCase(true);
+
+        comp.setInFilterStartsWith(CAMEL_FILTER_STARTS_WITH);
+
+        Exchange exchange = new DefaultExchange(context);
+        exchange.getIn().setHeader("bar", 123);
+        exchange.getIn().setHeader("foo", "cheese");
+        exchange.getIn().setHeader("caMElVersion", "3.7");
+        exchange.getIn().setHeader("org.apache.CAMEL.component.jetty.session", "true");
+
+        assertTrue(comp.applyFilterToExternalHeaders("caMElVersion", 123, exchange));
+        assertTrue(comp.applyFilterToExternalHeaders("cAmelResponseCode", 503, exchange));
+
+        assertFalse(comp.applyFilterToExternalHeaders("bar", 123, exchange));
+        assertFalse(comp.applyFilterToExternalHeaders("foo", "cheese", exchange));
+        assertTrue(comp.applyFilterToExternalHeaders("CamelVersion", "3.7", exchange));
+        assertTrue(comp.applyFilterToExternalHeaders("org.apache.camel.component.jetty.session", "true", exchange));
+    }
+
 }

core/camel-support/src/main/java/org/apache/camel/support/DefaultHeaderFilterStrategy.java+25 −7 modified

@@ -17,7 +17,6 @@
 package org.apache.camel.support;
 
 import java.util.HashSet;
-import java.util.Locale;
 import java.util.Set;
 import java.util.regex.Pattern;
 
@@ -344,35 +343,52 @@ private boolean doFiltering(Direction direction, String headerName, Object heade
             startsWith = inFilterStartsWith;
         }
 
+        String lower = null;
+
         if (startsWith != null) {
             if (tryHeaderMatch(headerName, startsWith)) {
                 return filterOnMatch;
             }
+            if (lowerCase) {
+                lower = headerName.toLowerCase();
+                if (tryHeaderMatch(lower, startsWith)) {
+                    return filterOnMatch;
+                }
+            }
         }
 
         if (pattern != null) {
-            if (tryPattern(headerName, pattern)) {
+            if (tryPattern(headerName, lower, pattern)) {
                 return filterOnMatch;
             }
         }
 
         if (filter != null) {
-            if (evalFilterMatch(headerName, filter)) {
+            if (evalFilterMatch(headerName, lower, filter)) {
                 return filterOnMatch;
             }
         }
 
         return extendedFilter(direction, headerName, headerValue, exchange);
     }
 
-    private boolean tryPattern(String headerName, Pattern pattern) {
+    private boolean tryPattern(String headerName, String lower, Pattern pattern) {
         // optimize if its the default pattern as we know the pattern is to check for keys starting with Camel
         if (pattern == CAMEL_FILTER_PATTERN) {
             boolean match = headerName.startsWith("Camel") || headerName.startsWith("camel")
                     || headerName.startsWith("org.apache.camel.");
             if (match) {
                 return true;
             }
+            if (lowerCase) {
+                if (lower == null) {
+                    lower = headerName.toLowerCase();
+                }
+                match = lower.startsWith("camel") || lower.startsWith("org.apache.camel.");
+                if (match) {
+                    return true;
+                }
+            }
         } else if (pattern.matcher(headerName).matches()) {
             return true;
         }
@@ -389,15 +405,17 @@ private boolean tryHeaderMatch(String headerName, String[] startsWith) {
         return false;
     }
 
-    private boolean evalFilterMatch(String headerName, Set<String> filter) {
+    private boolean evalFilterMatch(String headerName, String lower, Set<String> filter) {
         if (isCaseInsensitive()) {
             for (String filterString : filter) {
                 if (filterString.equalsIgnoreCase(headerName)) {
                     return true;
                 }
             }
-        } else if (isLowerCase()) {
-            String lower = headerName.toLowerCase(Locale.ENGLISH);
+        } else if (lowerCase) {
+            if (lower == null) {
+                lower = headerName.toLowerCase();
+            }
             if (filter.contains(lower)) {
                 return true;
             }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

camel.apache.org/security/CVE-2025-27636.htmlghsavendor-advisoryWEB
github.com/advisories/GHSA-2c2h-2855-mf97ghsaADVISORY
lists.apache.org/thread/l3zcg3vts88bmc7w8172wkgw610y693zghsavendor-advisoryWEB
nvd.nist.gov/vuln/detail/CVE-2025-27636ghsaADVISORY
www.openwall.com/lists/oss-security/2025/03/09/1ghsaWEB
github.com/akamai/CVE-2025-27636-Apache-Camel-PoC/blob/main/src/main/java/com/example/camel/VulnerableCamel.javaghsaWEB
github.com/apache/camel/blob/camel-4.9.0/core/camel-support/src/main/java/org/apache/camel/support/DefaultHeaderFilterStrategy.javaghsaWEB
github.com/apache/camel/commit/23a833eec6131a3cdce6e4b1b40b3ac2035b6adfghsaWEB
github.com/apache/camel/commit/45a6b74f7f8af8fd58f197566938a9534392a624ghsaWEB
issues.apache.org/jira/browse/CAMEL-21828ghsaissue-trackingWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.042
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000