The flaw is a deserialization vulnerability in the Camel-LevelDB component that allows an attacker to inject a crafted Java object into the LevelDB aggregation repository. When the repository processes the stored data, the untrusted object is deserialized using java.io.ObjectInputStream without applying any ObjectInputFilter or class‑loading restrictions, leading to arbitrary code execution in the context of the running Camel application. This vulnerability corresponds to CWE‑502, which signifies the ability to deserialize untrusted data for malicious payloads.

This issue affects all Apache Camel LevelDB releases from 4.10.0 up to 4.10.7, from 4.14.0 up to 4.14.4, and from 4.15.0 up to 4.17.9. The recommended fixes are version 4.18.0 for the main line, 4.10.9 for the 4.10.x LTS line, and 4.14.5 for the 4.14.x LTS line, all of which remove the unfiltered deserialization path.

The CVSS score of 8.8 indicates a high severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in practice. The vulnerability is not marked in the CISA KEV catalog. Exploitation requires an attacker who can write to the LevelDB database files—typically a local or compromised system with file‑write privileges. Once access is gained, the attacker can craft a malicious serialized object that will be processed during normal aggregation tasks, causing code to run with the application's privileges. Given the high impact but low exploitation probability, prompt remediation is advised to mitigate potential damage.