Improper Handling of Case Sensitivity Affecting org.apache.camel:camel-support package, versions [3.10.0,3.22.4)[4.8.0,4.8.5)[4.10.0,4.10.2)


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Attacked
EPSS
0.05% (19th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGAPACHECAMEL-9376919
  • published9 Mar 2025
  • disclosed9 Mar 2025
  • creditMark Thorson

Introduced: 9 Mar 2025

NewCVE-2025-27636  (opens in a new tab)
CWE-178  (opens in a new tab)

How to fix?

Upgrade org.apache.camel:camel-support to version 3.22.4, 4.8.5, 4.10.2 or higher.

Overview

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to a flaw in the default filtering mechanism that only blocks headers starting with specific prefixes. An attacker can manipulate header entries to invoke arbitrary methods from the Bean registry or use expressions as part of the method parameters, leading to unauthorized actions.

Notes:

This is only exploitable if the user is using one of the following HTTP Servers via one the of the following Camel components: camel-servlet, camel-jetty, camel-undertow, camel-platform-http, camel-netty-http and in the route, the exchange will be routed to a camel-bean producer. So only the camel-bean component is affected. In particular, this is only exploitable if:

  1. Any of the above components are used together with camel-bean component;

  2. The bean that can be called, has more than 1 method implemented;

  3. Methods are declared in the same bean specified in the bean URI.

The interaction between the dependencies described above is the necessary precondition to be vulnerable, but camel-support is the dependency whose vulnerable code is the root cause of the issue. Upgrading it to the fixed version ensures that the vulnerability has been remediated. Application owners for whom upgrading is not an option or whose environment does not meet all of the criteria for exploitation should consider the suggested workaround or safely ignoring this issue if it is inapplicable.

Workaround

This vulnerability can be mitigated by removing headers in Camel routes, either globally or per route, using the removeHeaders EIP to filter out headers not starting with the expected prefixes.

CVSS Base Scores

version 4.0
version 3.1