Improper Handling of Case Sensitivity Affecting org.apache.camel:camel-support package, versions [3.10.0,3.22.4)[4.8.0,4.8.5)[4.10.0,4.10.2)
Threat Intelligence
Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JAVA-ORGAPACHECAMEL-9402847
- published13 Mar 2025
- disclosed12 Mar 2025
- creditRyan Barnett
Introduced: 12 Mar 2025
NewCVE-2025-29891 (opens in a new tab)How to fix?
Upgrade org.apache.camel:camel-support to version 3.22.4, 4.8.5, 4.10.2 or higher.
Overview
Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to a flaw in the header filtering mechanism that only blocks headers starting with specific prefixes, and may be manipulated to treat parameter values as headers. If an application accepts HTTP requests directly from the internet, an attacker can invoke arbitrary methods from the Bean registry or use expressions as part of the method parameters, leading to unauthorized actions.
Notes:
This is only exploitable if the user is using one of the following HTTP Servers via one the of the following Camel components: camel-servlet, camel-jetty, camel-undertow, camel-platform-http, camel-netty-http and in the route, the exchange will be routed to a camel-bean producer. So only the camel-bean component is affected. In particular, this is only exploitable if:
Any of the above components are used together with
camel-beancomponent;The bean that can be called, has more than 1 method implemented;
Methods are declared in the same bean specified in the bean URI.
The interaction between the dependencies described above is the necessary precondition to be vulnerable, but camel-support is the dependency whose vulnerable code is the root cause of the issue. Upgrading it to the fixed version ensures that the vulnerability has been remediated. Application owners for whom upgrading is not an option or whose environment does not meet all of the criteria for exploitation should consider the suggested workaround or safely ignoring this issue if it is inapplicable.
This vulnerability achieves the same effect as the one described in CVE-2025-27636. The present vulnerability's vector involves the translation of HTTP parameters into malicious headers and was therefore not explicitly addressed in the previous formulation and publication.
Workaround
This vulnerability can be mitigated by removing headers in Camel routes, either globally or per route, using the removeHeaders EIP to filter out headers not starting with the expected prefixes.
through the default incoming header filter. An attacker can manipulate the behavior of certain Camel components, such as camel-bean or camel-exec, by injecting malicious headers or parameters into HTTP requests. This is only exploitable if the Camel route uses these particular vulnerable components.