CVE-2025-30177
Apache Camel: Camel-Undertow Message Header Injection via Improper Filtering
Severity Score
6.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions. This issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6. Users are recommended to upgrade to version 4.10.3 for 4.10.x LTS and 4.8.6 for 4.8.x LTS. Camel undertow component is vulnerable to Camel message header injection, in particular the custom header filter strategy used by the component only filter the "out" direction, while it doesn't filter the "in" direction. This allows an attacker to include Camel specific headers that for some Camel components can alter the behaviour such as the camel-bean component, or the camel-exec component.
*Credits:
Mark Thorson of AT&T, Mark Thorson of AT&T
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2025-03-17 CVE Reserved
- 2025-04-01 CVE Published
- 2025-04-01 CVE Updated
- 2025-04-02 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-164: Improper Neutralization of Internal Special Elements
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://camel.apache.org/security/CVE-2025-27636.html | Related | |
| https://camel.apache.org/security/CVE-2025-29891.html | Related |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://lists.apache.org/thread/dj79zdgw01j337lr9gvyy4sv8xfyw8py | 2025-04-01 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Camel Search vendor "Apache Software Foundation" for product "Apache Camel" | >= 4.10.0 < 4.10.3 Search vendor "Apache Software Foundation" for product "Apache Camel" and version " >= 4.10.0 < 4.10.3" | en |
Affected
| ||||||
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Camel Search vendor "Apache Software Foundation" for product "Apache Camel" | >= 4.8.0 < 4.8.6 Search vendor "Apache Software Foundation" for product "Apache Camel" and version " >= 4.8.0 < 4.8.6" | en |
Affected
| ||||||