Apache Camel incoming header filter bypass/injection
CVE-2025-27636 is a bypass/injection vulnerability in Apache Camel caused by insufficient filtering of incoming Camel-specific headers. In affected releases, Camel's default incoming header filter only blocks header names starting with "Camel", "camel", or "org.apache.camel." in a case-sensitive manner. An attacker can bypass this protection by supplying mixed-case variants of Camel internal headers, allowing those headers to be accepted and processed. Under the documented conditions, this can alter the behavior of downstream Camel components. Examples provided by Apache include camel-bean, where a forged header can cause invocation of a different method on the same bean than the application intended, and camel-jms, where a malicious header can redirect a message to a different queue on the same broker. The advisory also notes similar risk with camel-exec. The issue affects Apache Camel 4.10.0 through 4.10.1, 4.8.0 through 4.8.4, and 3.10.0 through 3.22.3.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a practical exploitation lab for CVE-2025-27636, a critical RCE vulnerability in Apache Camel's 'camel-exec' component. The vulnerability arises from case-sensitive filtering of internal headers, allowing attackers to bypass protections by altering header casing (e.g., 'cAmeLexecCommandExecutable'). The lab provides a Java application ('PinewoodAutoShopCamel.java') that sets up several HTTP endpoints using Apache Camel and Jetty, exposing routes such as '/tasks', '/systeminfo', and '/network'. These endpoints invoke OS commands via the 'exec:' component. The exploit is demonstrated by sending HTTP requests with specially-cased headers, resulting in arbitrary command execution on the server. The repository includes build files (pom.xml), configuration (application.properties), and a web UI (index.html). The exploit is a proof-of-concept and is intended for educational purposes only.
This repository provides a proof-of-concept (PoC) for exploiting two vulnerabilities (CVE-2025-27636 and CVE-2025-29891) in Apache Camel. The main exploit is a Java application (src/main/java/com/example/camel/VulnerableCamel.java) that sets up an HTTP endpoint at /vulnerable using the Camel Jetty and Exec components. By default, the endpoint executes the 'whoami' command, but due to improper filtering of HTTP headers and query parameters, an attacker can override the command by sending a specially cased 'CAmelExecCommandExecutable' header or query parameter, leading to arbitrary command execution (RCE). The repository also includes detection scripts (detection/CamelScanner.ps1 for PowerShell and detection/CamelScanner.sh for Bash) that scan file systems for vulnerable versions of the Apache Camel library by inspecting JAR files and their MANIFEST.MF files. These scripts are for detection only and do not perform exploitation. The repository structure is as follows: - README.MD: Detailed explanation of the vulnerabilities, exploitation steps, and affected versions. - src/main/java/com/example/camel/VulnerableCamel.java: The vulnerable Java application demonstrating the exploit. - detection/: Contains PowerShell and Bash scripts for detecting vulnerable Camel libraries, along with a README. - pom.xml: Maven configuration specifying dependencies on vulnerable Camel components. The main exploit capability is remote command execution via HTTP requests to the /vulnerable endpoint, targeting specific vulnerable versions of Apache Camel.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A previously addressed Apache Camel incoming-header filter vulnerability referenced as related to the same header injection pattern.
A prior Apache Camel vulnerability whose original fix addressed HTTP HeaderFilterStrategy handling of case-variant Camel internal headers, but did not fully cover non-HTTP HeaderFilterStrategy implementations.
A remote code execution vulnerability in Apache Camel caused by case-sensitive header filtering that can allow attackers to bypass protections by altering header case and influence internal Camel processing, including command execution in certain component configurations.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.