A Proof of Concept (PoC) exploit has been released for a Remote Code Execution (RCE) vulnerability in Apache Camel, identified as CVE-2025-27636.
This vulnerability affects Apache Camel versions 4.10.0-4.10.1, 4.8.0-4.8.4, and 3.10.0-3.22.3.
The vulnerability allows attackers to inject arbitrary headers, enabling them to execute internal Camel methods, which can lead to the execution of arbitrary commands on the system.
Vulnerability Details
The vulnerability exploits the incorrect handling of casing in header names.
Specifically, Apache Camel is supposed to filter headers like “CamelExecCommandExecutable,” but due to a casing issue, headers with slightly different casing, such as “CAmelExecCommandExecutable,” bypass this filter.
This allows attackers to override static commands defined in the Camel Exec component.
For example, an application configured to execute the “whoami” command can be manipulated to run any command by passing the “CAmelExecCommandExecutable” header with the desired command.
Additionally, arguments can be passed using the “CamelExecCommandArgs” header, further expanding the exploit’s capabilities.
Exploitation Example
To demonstrate the vulnerability, a sample application has been provided that exposes an HTTP endpoint.
According to the research, this endpoint is meant to execute the “whoami” command but can be exploited to run arbitrary commands.
For instance, using curl, an attacker can override the “whoami” command with “ls” by passing the “CAmelExecCommandExecutable: ls” header.
Similarly, arguments can be passed to commands like “ping” by including the “CamelExecCommandArgs” header.
If the correct casing is used for the header (“CamelExecCommandExecutable”), the exploit fails, and the static command executes as intended.
The release of this PoC exploit highlights the importance of updating Apache Camel to versions that are not affected by this vulnerability.
Users should ensure that their systems are patched to prevent potential RCE attacks.
The exploit also underscores the need for robust input validation and proper handling of header casing in software applications to prevent similar vulnerabilities in the future.
 exploit has been released for a RCE vulnerability in Apache Camel, identified as CVE-2025-27636.){kind=link}