[GHSA-2c2h-2855-mf97] Apache Camel: Camel Message Header Injection via Improper Filtering

[spanishvader]

Updates

• CVSS v4
• Description
• Severity

Comments
Provided more examples in the description of components that would have more serious impacts such as the sql and exec component. Depending on components used downstream, confidentiality, integrity, and availability impacts could be high. Example: with the SQL component the attacker overrides SQL query to extract data from the database or drops tables. With the exec component or docker component (and possibly others) full RCE could be possible.

[shelbyc]

Hi @spanishvader, adding the following:

This could also be seen by using the camel-exec component where an attacker could use the CamelExecCommandExecutable message header to override the command to be executed or CamelSqlQuery in the camel-sql component to override the SQL query to execute. The CamelDockerCmd and CamelDockerEntryPoint message headers could be abused if the docker component is in use.

Appears to be consistent with the proof of concept at https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC/blob/main/src/main/java/com/example/camel/VulnerableCamel.java, which has the following comment:

// define a static command. This can be overwritten using the "CamelExecCommandExecutable" header

However, the proposed change in CVSS raises the severity from medium, as assessed by Apache here and CISA-ADP here, to critical. Can you talk more about what led you to the conclusion that the vulnerability is of critical severity?

[spanishvader]

Hey @shelbyc,

Sure I can provide a little more context. All I did in the CVSS calculator was increase the Integrity impact and Confidentiality impact from low to high and I will provide a few examples as reasons why I believe both should be increased.

Here is a simple example of how Integrity could be impacted in a vulnerable application. Imagine an application is using one of the camel-http components to provide an HTTP service and passing data to the SQL component to perform a query that is supposed to retrieve information. Let's just imagine the database has a Users table. In this example an attacker would be able to affect the integrity of the database with an HTTP request that looks something like this:

GET /vulnerable/api HTTP/1.1
Host: example
CaMelSqlQuery: DROP TABLE Users;

or

GET /vulnerable/api HTTP/1.1
Host: example
CaMelSqlQuery: INSERT INTO Users (username, password, role) VALUES ('admin_user', 'hashed_password_here', 'admin');

Using the same example confidentiality could be impacted as well since an attacker could modify the query to extract data of other users with an HTTP request like this:

GET /vulnerable/api HTTP/1.1
Host: example
CaMelSqlQuery: SELECT * FROM Users WHERE username = 'admin';

This is not too different from a SQL injection flaw and those typically carry a critical rating.

There are many components that process apache camel message headers that if altered could have serious implications. In the File component the CamelFileName message header could be overridden to change which file is read or written to.In the exec component the CamelExecCommandExecutable could be used to achieve RCE. I could provide more examples if needed but I think RCE and the ability to perform arbitrary SQL queries are critical enough. The big issue here is that the impact is highly dependent on what components are used.

I think there is a little inconsistency in the ratings since CVE-2025-27636 ,CVE-2025-29891, and CVE-2025-30177 are basically all the same issue with the same impact but have different ratings. In reality all 3 of these CVE should carry the same rating. You could also compare the CVEs above to CVE-2013-4330 which is rated as a critical (all assessed by apache) and you would see that the 3 above can be exploited remotely and result in the same or worse outcome.

I apologize for the long response, hopefully this helps.