A high-severity vulnerability, designated CVE-2025-29891, has been discovered in Apache Camel, potentially allowing attackers to inject malicious headers and manipulate application behavior. The flaw, impacting widely used HTTP components, demands immediate attention from developers.
Apache Camel, a popular open-source integration framework, is susceptible to a message header injection attack through request parameters. According to the Apache Software Foundation’s security advisory, “This vulnerability is present in Camel’s default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component.”
This vulnerability is particularly concerning for applications directly exposed to the internet via HTTP. Attackers can leverage this flaw by including malicious parameters in HTTP requests, which are then incorrectly translated into headers. “If you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include parameters in the HTTP requests that are sent to the Camel application that incorrectly get translated into headers,” the advisory warns.
CVE-2025-29891 affects several Camel HTTP components out-of-the-box, including camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http. This broad impact highlights the critical nature of the flaw and the urgent need for patching.
The vulnerability was discovered by Ryan Barnett of Akamai Security Intelligence Group (SIG). Akamai has also published technical details and a proof-of-concept exploit code, further emphasizing the severity of the issue.
The following Apache Camel versions are affected:
- Apache Camel 4.10.0 before 4.10.2
- Apache Camel 4.8.0 before 4.8.5
- Apache Camel 3.10.0 before 3.22.4
Patched versions include:
- 3.22.4
- 4.8.5
- 4.10.2
The Apache Software Foundation strongly recommends that users upgrade to the patched versions immediately.
In addition to upgrading, the advisory suggests using the removeHeaders Enterprise Integration Pattern (EIP) to filter out potentially malicious headers. Specifically, filtering headers like ‘cAmel, cAMEL’ or any headers not starting with ‘Camel’, ‘camel’, or ‘org.apache.camel’ can provide an extra layer of protection.
