GHSA-583r-f84w-33g7
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Network publish access required (AV:N, PR:L); scope changes as messages cross Dapr component boundaries (S:C); impact is redirection and exfiltration, not code execution (C:L/I:L/A:N).
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4Description PRE-NVD
Articles & Coverage 4
AnalysisAI
Routing header injection in Apache Camel's camel-dapr component allows any actor with publish access to a subscribed Dapr Pub/Sub topic to redirect or exfiltrate re-published messages to an arbitrary Dapr Pub/Sub component and topic. The flaw exists in routes that both consume and republish via Dapr - specifically, DaprPubSubConsumer blindly copies attacker-controlled CloudEvent fields (pub/sub-name and topic) into producer-direction routing headers (CamelDaprPubSubName and CamelDaprTopic), which DaprConfigurationOptionsProxy then prefers over the route's configured endpoint destination. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following: (1) The target deployment must use the camel-dapr component with a route that both consumes messages FROM a Dapr Pub/Sub topic AND republishes those messages TO another Dapr Pub/Sub topic or component - a pass-through or transformation route pattern such as from('dapr-pubsub:p:t').to('dapr-pubsub:p:other'); routes that only consume or only produce are not affected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate and narrowly scoped. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with publish access to a Dapr Pub/Sub topic monitored by a camel-dapr route crafts a CloudEvent where the pub/sub-name field is set to a Dapr component the attacker controls and the topic field points to an attacker-owned topic. When the camel-dapr route consumes this message and republishes it downstream, DaprConfigurationOptionsProxy reads the injected CamelDaprPubSubName and CamelDaprTopic headers and overrides the configured destination, delivering the re-published message - potentially containing sensitive business data - to the attacker's Dapr component instead of the intended recipient. … |
| Remediation | The primary fix is to upgrade camel-dapr to a patched release: 4.14.8 for deployments on the 4.14.x LTS stream, 4.18.3 for those on the 4.18.x stream, or 4.21.0 for those on the latest stream. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Apache Camel deployments running camel-dapr component and implement access controls limiting Dapr Pub/Sub permissions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Bypass/Injection vulnerability in Apache Camel components under particular conditions.10.0 through <= 4.10.1, from 4.8.0
The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary file
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. Rated cri
The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remo
Cross-realm token acceptance bypass in Apache Camel Keycloak security policy. The KeycloakSecurityPolicy fails to proper
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSeria
The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInp
Apache Camel's File is vulnerable to directory traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely
The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-se
The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arb
The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-s
Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arb
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41842