CVE-2025-27636: 
Java vulnerability analysis and mitigation

A bypass/injection vulnerability (CVE-2025-27636) was discovered in Apache Camel, affecting versions from 4.10.0 through 4.10.1, 4.8.0 through 4.8.4, and 3.10.0 through 3.22.3. The vulnerability was disclosed on March 9, 2025, and was discovered by Mark Thorson of AT&T. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS, and 3.22.4 for 3.x releases (Apache Advisory, OSS Security).

The vulnerability exists in Camel's default incoming header filter, which only blocks headers starting with 'Camel', 'camel', or 'org.apache.camel.' The flaw allows attackers to bypass this filter by altering the casing of letters. This vulnerability specifically affects multiple Camel components including camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http when used in conjunction with the camel-bean component. The issue has been assigned a CVSS v3.1 Base Score of 5.6 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L (NVD).

When exploited, this vulnerability allows attackers to inject headers that can alter behaviors of various Camel components. In the camel-bean component, attackers can invoke arbitrary methods from the Bean registry within the same bean declared in the bean URI. For the camel-jms component, malicious headers can be used to redirect messages to different queues on the same broker than what was originally intended in the application (Apache Advisory).

The primary mitigation is to upgrade to the fixed versions: 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS, and 3.22.4 for 3.x releases. As a workaround, users can remove headers in their Camel routes using the removeHeaders EIP to filter out variations like 'cAmel, cAMEL' or anything not starting with 'Camel', 'camel', or 'org.apache.camel.' This can be implemented globally or per route (Apache Advisory).