CVE-2025-30177

ANC

Medium

Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions. This issue affects Apache Camel: fr…

CVSS

6.5

Medium

EPSS

0.01

p54

Published

2025-01-01

Updated

2025-01-01

Description

Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions. This issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6. Users are recommended to upgrade to version 4.10.3 for 4.10.x LTS and 4.8.6 for 4.8.x LTS. Camel undertow component is vulnerable to Camel message header injection, in particular the custom header filter strategy used by the component only filter the "out" direction, while it doesn't filter the "in" direction. This allows an attacker to include Camel specific headers that for some Camel components can alter the behaviour such as the camel-bean component, or the camel-exec component.

Tags · CWE

Pre-auth

CWE-164

Affected products

Camel 4.8.0–4.8.6Camel 4.10.0–4.10.3

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Timeline

2025-01-01

Published

2025-01-01

Updated

CVSS 3.1 breakdown

Attack Vector

AV: N

Network (N)

Attack Complexity

AC: L

Low (L)

Privileges Required

PR: N

None (N)

User Interaction

UI: N

None (N)

Scope

S: U

Unchanged (U)

Confidentiality Impact

C: L

Low (L)

Integrity Impact

I: L

Low (L)

Availability Impact

A: N

None (N)

Exploit indicators

EPSS

0.009 · p54

Known exploited (KEV)

Known exploits — Сканер-ВС

No Сканер-ВС checks registered for this vulnerability yet.

Affected products

Product	Vendor	Status
		Tracked
camel	*	Tracked

Source databases

ANC

CVE

Related vulnerabilities

BDU:2025-05050