CVE-2025-30177

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-30177

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30177.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-30177

Aliases

GHSA-vq4p-pchp-6g6v

Published

2025-04-01T12:15:15Z

Modified

2025-04-16T03:29:47.398455Z

Summary

[none]

Details

Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions.

This issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6.

Users are recommended to upgrade to version 4.10.3 for 4.10.x LTS and 4.8.6 for 4.8.x LTS.

Camel undertow component is vulnerable to Camel message header injection, in particular the custom header filter strategy used by the component only filter the "out" direction, while it doesn't filter the "in" direction.

This allows an attacker to include Camel specific headers that for some Camel components can alter the behaviour such as the camel-bean component, or the camel-exec component.

References

Affected packages

Git / github.com/apache/camel

Affected ranges

Type: GIT
Repo: https://github.com/apache/camel
Events: Introduced

071f95d5647b8597ca1c4ae6201b3442f87d120d

Fixed

f8b3a16077cab2e85f58d2e47b5d3355d27c1f8a

Affected versions

camel-4.*

camel-4.8.0

camel-4.8.1

camel-4.8.2

camel-4.8.3

camel-4.8.4

camel-4.8.5