Bug 2350682 (CVE-2025-27636)

Summary: CVE-2025-27636 camel-http: org.apache.camel: bypass of header filters via specially crafted response
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asoldano, bbaranow, bmaxwell, boliveir, brian.stansberry, caswilli, cdewolf, cmiranda, darran.lofthouse, dhanak, dkreling, dosoudil, drichtar, ecerquei, fjuma, fmariani, fmongiar, gcovolo, gmalinko, ibek, istudens, ivassile, iweiss, janstey, jkoops, jnethert, jpoth, jrokos, kaycoth, kverlaen, lgao, mnovotny, mosmerov, msochure, msvehla, nwallace, pcongius, pdelbell, pdrozd, peholase, pesilva, pjindal, pmackay, porcelli, pskopek, rguimara, rmartinc, rowaters, rstancel, rstepani, security-response-team, smaestri, sthorger, tcunning, tom.jenkinson, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A vulnerability was found in Apache Camel. This flaw allows an attacker to bypass filtering via a specially crafted request containing a certain combination of upper and lower case characters due to an issue in the default header filtering mechanism, which blocks headers starting with "Camel" or "camel."
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-03-07 19:00:10 UTC 
Affected Component: Apache Camel Framework (specifically versions 3.x through 4.10.1)

Vuln Type: Bypass/Injection

The vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with "Camel", "camel", or Attackers can bypass this filter by altering the casing of any letter other than the first one (e.g., "GAme\" or "GAW"). This allows attackers to inject headers like GAmelMeth0dßeanName, which can be exploited to invoke arbitrary methods from the Bean registry@04 and also supports using Simple Expression Language (or OGNL in some cases) as part of the method
parameters passed to the bean (see attached examples). There are quite a
large number of other "Camel" headers that, if manipulated, could allow an
attacker to do some pretty dangerous things (think CamelSqlQuery).
Comment 4 errata-xmlrpc 2025-03-20 15:48:00 UTC 
This issue has been addressed in the following products:

  Red Hat Build of Apache Camel 4.8 for Quarkus 3.15

Via RHSA-2025:3091 https://access.redhat.com/errata/RHSA-2025:3091
Comment 5 errata-xmlrpc 2025-04-02 20:19:26 UTC 
This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.8.5 for Spring Boot

Via RHSA-2025:3543 https://access.redhat.com/errata/RHSA-2025:3543