A recently disclosed vulnerability in Apache Camel (CVE-2025-27636) has been officially classified as moderate severity, despite earlier reports circulating online that characterized it as a "critical" vulnerability, according to official advisories released this week.
The vulnerability affects multiple versions of Apache Camel, including versions 4.10.0 before 4.10.2, 4.8.0 before 4.8.5, and 3.10.0 before 3.22.4. The security flaw stems from a bug in the default filtering mechanism that only blocks headers starting with "Camel," "camel," or "org.apache.camel." Attackers can bypass this filter by altering the casing of letters, potentially allowing them to inject headers that can be exploited to invoke arbitrary methods from the Bean registry.
Security expert Kevin Beaumont addressed the situation in a post, noting that alarming language about the vulnerability had "sparked panic amongst defenders" with some organizations mobilizing emergency response teams despite having no clear remediation path.
"One person posted their entire team had been stood up this weekend to deal with the situation — but they had no fixes and no clue what to do except panic," wrote Beaumont.
Importantly, the vulnerability comes with significant limitations. According to the researcher, "only methods in the same bean declared in the bean URI could be invoked." Furthermore, not every application using Apache Camel is vulnerable, as exploitation requires "a very specific set of circumstances."
Apache has released patched versions (4.10.2 and 4.8.5) for current Apache Camel 4 releases, with a courtesy patch (3.22.4) planned for the end-of-life 3.x version.
Users unable to update immediately can implement a workaround by removing headers in their Camel routes, specifically by using the removeHeaders Exchange Interface Processor to filter out variant casings like "cAmel" or "cAMEL."
Akamai researchers have created a PoC application vulnerable to Apache Camel CVE-2025–27636, available on their GitHub.
The vulnerability tracked as CAMEL-21828, was discovered by Mark Thorson of AT&T. Beaumont expressed support for the Apache developers who had to manage the public response, recommending that organizations "calmly inform their development teams, if they use Apache Camel, to check the advisory... to assess if they are impacted, and either upgrade to a fixed release or apply the mitigation."
For organizations using Apache Camel, the official recommendation is to update to the latest patched versions or implement the suggested mitigation strategies if immediate patching isn't possible.