CVE-2025-30177
April 01, 2025
Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions.
This issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6.
Users are recommended to upgrade to version 4.10.3 for 4.10.x LTS and 4.8.6 for 4.8.x LTS.
Camel undertow component is vulnerable to Camel message header injection, in particular the custom header filter strategy used by the component only filter the "out" direction, while it doesn't filter the "in" direction.
This allows an attacker to include Camel specific headers that for some Camel components can alter the behaviour such as the camel-bean component, or the camel-exec component.
Affected Packages
https://github.com/apache/camel.git (GITHUB):
Affected version(s) >=camel-4.10.0 <camel-4.10.3Fix Suggestion:
Update to version camel-4.10.3https://github.com/apache/camel.git (GITHUB):
Affected version(s) >=camel-4.8.0 <camel-4.8.6Fix Suggestion:
Update to version camel-4.8.6org.apache.camel:camel-undertow (JAVA):
Affected version(s) >=4.10.0 <4.10.3Fix Suggestion:
Update to version 4.10.3org.apache.camel:camel-undertow (JAVA):
Affected version(s) >=4.8.0 <4.8.6Fix Suggestion:
Update to version 4.8.6org.apache.camel:camel-undertow (JAVA):
Affected version(s) Fix Suggestion:
Update to version 4.8.6Related Resources (6)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Improper Neutralization of Internal Special Elements
EPSS
Base Score:
0.83
