org.apache.camel:camel-support@4.10.1 vulnerabilities

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to a flaw in the header filtering mechanism that only blocks headers starting with specific prefixes, and may be manipulated to treat parameter values as headers. If an application accepts HTTP requests directly from the internet, an attacker can invoke arbitrary methods from the Bean registry or use expressions as part of the method parameters, leading to unauthorized actions.

Notes:

This is only exploitable if the user is using one of the following HTTP Servers via one the of the following Camel components: camel-servlet, camel-jetty, camel-undertow, camel-platform-http, camel-netty-http and in the route, the exchange will be routed to a camel-bean producer. So only the camel-bean component is affected. In particular, this is only exploitable if:

1. Any of the above components are used together with camel-bean component;

2. The bean that can be called, has more than 1 method implemented;

3. Methods are declared in the same bean specified in the bean URI.

The interaction between the dependencies described above is the necessary precondition to be vulnerable, but camel-support is the dependency whose vulnerable code is the root cause of the issue. Upgrading it to the fixed version ensures that the vulnerability has been remediated. Application owners for whom upgrading is not an option or whose environment does not meet all of the criteria for exploitation should consider the suggested workaround or safely ignoring this issue if it is inapplicable.

This vulnerability achieves the same effect as the one described in CVE-2025-27636. The present vulnerability's vector involves the translation of HTTP parameters into malicious headers and was therefore not explicitly addressed in the previous formulation and publication.

Upgrade org.apache.camel:camel-support to version 3.22.4, 4.8.5, 4.10.2 or higher.