A Proof of Concept (PoC) exploit for the Apache Camel vulnerability CVE-2025-27636 has been released on GitHub.
This vulnerability affects Apache Camel versions 4.10.0-4.10.1, 4.8.0-4.8.4, and 3.10.0-3.22.3, allowing attackers to inject arbitrary headers and potentially execute internal Camel methods, including Remote Code Execution (RCE) via the Camel Exec component.
Vulnerability Details
The vulnerability arises from a flaw in Apache Camel’s default header filtering mechanism.
.png
)
Normally, Camel filters out headers starting with “Camel,” “camel,” or “org.apache.camel.”
However, attackers can bypass this filter by manipulating the casing of header names.
For example, using a header like “CAmelExecCommandExecutable” can override the static command defined in the Camel route.
This allows attackers to execute arbitrary commands on the server, as demonstrated in the PoC using the Camel Exec component to run commands like “ls” or “ping” with arguments.
The PoC application exposes an HTTP endpoint that executes a static “whoami” command but can be overridden by passing the “CamelExecCommandExecutable” header.
The exploit shows how attackers can bypass the filter by using headers with altered casing, enabling them to execute arbitrary commands.
Additionally, arguments can be passed using headers like “CamelExecCommandArgs,” further enhancing the exploit’s capabilities.
Mitigation and Fixes
To mitigate this vulnerability, users are advised to upgrade Apache Camel to versions 4.10.2, 4.8.5, or 3.22.4, depending on their current version.
Alternatively, developers can use the removeHeaders EIP to filter out malicious headers in their Camel routes.
According to the research, this involves removing headers that do not start with “Camel,” “camel,” or “org.apache.camel.” to prevent exploitation.
The release of this PoC highlights the importance of keeping software up-to-date and implementing robust security measures to prevent such vulnerabilities from being exploited in production environments.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
 exploit for the Apache Camel vulnerability CVE-2025-27636 has been released on GitHub.){kind=link}