Apache Camel Header Injection Vulnerability Allowing Remote Code Execution

A vulnerability exists in Apache Camel in certain HeaderFilterStrategy implementations, specifically in camel-jms, camel-sjms, camel-coap, and camel-google-pubsub. This issue arises from an incomplete fix for a previous vulnerability, CVE-2025-27636, which added a case-insensitive header filtering for HTTP headers but failed to apply the same treatment to non-HTTP headers. As a result, an attacker with JMS or equivalent producer access can inject case-variant internal headers that are processed by downstream components using their standard casing. This flaw can lead to remote code execution and unauthorized file writing on routes that handle JMS messages with header-driven components.

Impact

Exploitation of this vulnerability allows for remote code execution and arbitrary file writing on affected routes.

Remediation

Users should upgrade to Apache Camel version 4.20.0. For those on the 4.14.x LTS release stream, version 4.14.6 is recommended. Users on the 4.18.x release stream should upgrade to 4.18.2.