MediumPublic exploit

Apache Camel incoming header filter bypass via HTTP parameters

IdentifiersCVE-2025-29891CWE-74

Apache Camel contains a bypass/injection vulnerability in its default incoming header filter. In affected versions, attacker-controlled data supplied to Camel over HTTP can be translated into Camel-specific message headers, and the default filter does not adequately prevent those internal headers from being set. Apache states the issue is exploitable not only through malicious HTTP headers, but also through HTTP request parameters and request payload content that are mapped into headers. This can let an attacker inject Camel-specific headers that alter the behavior of downstream Camel components used by a route, including components such as camel-bean or camel-exec. The issue affects Apache Camel 4.10.0 before 4.10.2, 4.8.0 before 4.8.5, and 3.10.0 before 3.22.4. Apache notes this issue is related to CVE-2025-27636 and shares the same root cause and fix, but CVE-2025-29891 expands the exploitability to HTTP parameters.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to influence Camel route execution by injecting Camel-specific headers into message processing. In routes that use vulnerable downstream components, this can alter application behavior and may lead to remote command execution, including attacker-controlled process execution via components such as camel-exec. Depending on route design and connected components, impact can range from logic manipulation to full remote code execution.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by preventing direct internet access to Camel HTTP endpoints, especially routes reachable through camel-servlet, camel-jetty, camel-undertow, camel-platform-http, or camel-netty-http. Review routes that accept untrusted HTTP input and that invoke sensitive components such as camel-bean or camel-exec. Apply strict input validation and explicit header allowlisting/stripping at the HTTP ingress layer so Camel-specific internal headers cannot be derived from request parameters, payload fields, or user-controlled metadata.

Remediation

Patch, then assume compromise.

Upgrade Apache Camel to a fixed version: 4.10.2 for the 4.10.x LTS branch, 4.8.5 for the 4.8.x LTS branch, or 3.22.4 for the 3.x branch. Because Apache states CVE-2025-29891 shares the same root cause and fix as CVE-2025-27636, ensure all deployments are updated to releases containing the corrected incoming header filtering behavior.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Apache Software FoundationCamelapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

13 SOURCESView more in app

cvefeed high severityNews

Apr 27, 2026

CVE-2026-33454 - Apache Camel: Inbound Header Filter Missing in MailHeaderFilterStrategy Allows Remote Code Execution via MIME Header Injection (CVE-2025-30177 Variant)

A previously addressed Apache Camel incoming-header filter vulnerability referenced as related to the same header injection pattern.

palo alto networks unit 42 blogNews

Jul 3, 2025

Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack

A remote code execution vulnerability in Apache Camel related to case-sensitive header filtering weaknesses that can let attackers manipulate internal Camel headers via crafted HTTP requests in vulnerable component configurations.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity10

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-29891

NVD

nvd.nist.gov/vuln/detail/CVE-2025-29891

MITRE CWE · CWE-74

cwe.mitre.org

Vendor Advisory

camel.apache.org/security/CVE-2025-29891.html

Exploit

github.com/akamai/CVE-2025-27636-Apache-Camel-PoC