Home OffSec
  • Pricing
Blog

/

CVE-2025-27636 – Remote Code Execution in Apache Camel via Case-Sensitive Header Filtering Bypass

Research & Tutorials

Jul 10, 2025

CVE-2025-27636 – Remote Code Execution in Apache Camel via Case-Sensitive Header Filtering Bypass

Discover the critical Apache Camel vulnerability (CVE-2025-27636) that allows remote code execution via case-sensitive HTTP header manipulation in the exec component. Learn how attackers exploit this flaw and how to mitigate it.

OffSec Team OffSec Team

2 min read

Overview

CVE-2025-27636 is a critical remote code execution vulnerability in Apache Camel that affects the exec component. The flaw arises because Camel’s security filters only check certain sensitive HTTP headers in lowercase, failing to block the same headers submitted in mixed or uppercase casing. Attackers can exploit this oversight to execute arbitrary system commands via HTTP requests.

  • CVE ID: CVE-2025-27636
  • Severity: Medium
  • CVSS Score: 5.6 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
  • EPSS Score: 35.5%
  • Published: March 19, 2025
  • Affected Versions:
    • 4.10.0 – 4.10.1
    • 4.8.0 – 4.8.4
    • 3.10.0 – 3.22.3
  • Patched Versions: 4.10.2, 4.8.5, 3.22.4
  • Authentication Required: Depends on deployment
  • Impact: Remote Code Execution

Apache Camel patched this issue in the above versions by normalizing header names to lowercase before filtering them.


Technical Breakdown

Apache Camel supports a Command Center feature which allows executing OS-level commands via HTTP endpoints. By design, this functionality should be restricted to trusted administrators and protected by strict filtering of certain headers:

  • CamelExecCommandExecutable
  • CamelExecCommandArgs

However, the vulnerable versions of Camel performed case-sensitive header checks. Passing these headers in mixed casing, e.g. CAmelExecCommandExecutable, allowed them to bypass security filters.

When exploited, the vulnerable Camel instance executes the attacker’s chosen system command under the privileges of the Camel process — which in some deployments, may be running as root.


Conditions for Exploitation

  • An attacker must be able to inject or upload malicious XML route definitions
  • The vulnerable Camel instance must parse the XML route
  • The runtime environment must allow process execution

Note: In some environments, this may require low-privileged authentication if route uploads are gated behind login.


Exploitation

Public PoC

A working public PoC is documented here:
🔗 Akamai CVE-2025-27636 PoC

Exploiting with curl

To exploit the vulnerability, send a request to the vulnerable endpoint with mixed-case headers. For example, executing ls inside /root:

curl "http://10.0.2.15:80/command-center" --header "CAmelExecCommandExecutable: ls" --header "CAmelExecCommandArgs: /"

Mitigation

  • Upgrade Apache Camel to:
    • 4.10.2+
    • 4.8.5+
    • 3.22.4+
  • Restrict external access to management endpoints like the Command Center.
  • Block or sanitize incoming HTTP headers that could influence system behavior.
  • Deploy a WAF to detect suspicious header names or payloads.
  • Run Camel under a low-privilege user account wherever possible.

References

Stay in the know: Become an OffSec Insider

Stay in the know: Become an OffSec Insider

Get the latest updates about resources, events & promotions from OffSec!

Latest from OffSec