GHSA-hgg5-gp4c-gpcg
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network reach against an exposed WebSocket endpoint (AV:N/PR:N/UI:N), low-complexity header injection (AC:L), high confidentiality from secret/SSRF disclosure with no integrity or availability impact.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
7Description PRE-NVD
Articles & Coverage 5
AnalysisAI
Server-side request forgery and secret disclosure in Apache Camel's camel-vertx-websocket component (versions 4.0.0-4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.x) let a WebSocket client inject Camel-internal control headers such as CamelHttpUri because inbound query/path parameters are copied into the Exchange header map without a HeaderFilterStrategy. In routes that bridge the WebSocket consumer into a downstream HTTP producer, an attacker can redirect the server-side HTTP request to internal services or cloud metadata endpoints, and because the HTTP producer resolves Camel property placeholders on the attacker-supplied URI, environment variables, application properties, and vault secrets are resolved and exfiltrated. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a Camel route where the camel-vertx-websocket consumer's inbound query/path parameters flow into a downstream HTTP producer whose target URI is derived from message headers (the CamelHttpUri / Exchange.HTTP_URI control header). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) reflects network-reachable, unauthenticated, low-complexity access with high confidentiality impact and no integrity/availability impact, which is consistent with the described secret-disclosure and SSRF read-oriented behavior. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker connects to an unauthenticated camel-vertx-websocket endpoint and appends query parameters such as CamelHttpUri set to an internal or cloud-metadata URL (optionally embedding a placeholder like a vault or environment-variable reference). The Camel route copies these into the Exchange, and the downstream HTTP producer sends a server-side request to the attacker-chosen destination, resolving embedded placeholders so that environment variables, application properties, or vault secrets are returned. … |
| Remediation | Vendor-released patch: upgrade to 4.21.0, which applies a HeaderFilterStrategy that case-insensitively filters the Camel header namespace on inbound mapping so externally supplied Camel*/camel* headers are no longer copied into the Exchange. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all systems using Apache Camel versions 4.0.0-4.14.7, 4.15.0-4.18.2, or 4.19.0-4.20.x; isolate affected systems from untrusted networks if possible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Bypass/Injection vulnerability in Apache Camel components under particular conditions.10.0 through <= 4.10.1, from 4.8.0
The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary file
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. Rated cri
The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remo
Cross-realm token acceptance bypass in Apache Camel Keycloak security policy. The KeycloakSecurityPolicy fails to proper
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSeria
The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInp
Apache Camel's File is vulnerable to directory traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely
The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-se
The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arb
The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-s
Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arb
Same weakness CWE-20 – Improper Input Validation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41837