Apache Camel Vulnerability Allows Attackers to Inject Arbitrary Headers

A newly disclosed security vulnerability in Apache Camel, tracked as CVE-2025-27636, has raised alarms across the cybersecurity community.

The flaw allows attackers to inject arbitrary headers into Camel Exec component configurations, potentially enabling remote code execution (RCE).

The vulnerability impacts several versions, including 3.10.0 through 3.22.3, 4.8.0 through 4.8.4, and 4.10.0 through 4.10.1.

This exploit highlights the dangers of misconfigured header filtering within Apache Camel, a widely used integration framework designed for connecting various systems and applications.

Security professionals are urging organizations using vulnerable versions to patch their systems immediately to mitigate the risks.

The vulnerability stems from incorrect header handling by the Camel framework, specifically in cases of header naming with altered casing, as per a report by Github.

Exploiting the flaw allows attackers to bypass filters and override static commands specified in the Camel configurations.

Proof ...