Description
Deserialization of Untrusted Data vulnerability in Apache Camel.

The default ObjectInputFilter pattern shipped with several Apache Camel components for defense-in-depth deserialization filtering ('java.**;javax.**;org.apache.camel.**;!*', or the no-'javax.**' variant in the aggregation-repository components) uses a recursive 'java.**' glob that admits classes whose hashCode/equals/readObject methods perform network I/O, notably java.net.URL and java.net.InetAddress. When an attacker can deliver a Java-serialized payload to an affected Camel consumer, deserialization of a HashMap (or any collection that calls hashCode on its elements) containing java.net.URL keys causes the JVM to issue DNS queries to the attacker-supplied host during the deserialization side-effect. The class-level filter check passes because the resulting object's class (HashMap) is allow-listed; the DNS query is observable on an attacker-controlled DNS server, providing an out-of-band side channel. The exposure is highest on the camel-jms family because JmsBinding.extractBodyFromJms invokes ObjectMessage.getObject() unconditionally when mapJmsMessage=true (default). Affected components: camel-jms, camel-sjms, camel-amqp, camel-mina, camel-netty, camel-netty-http, camel-vertx-http, camel-infinispan, and the aggregation repository components camel-leveldb, camel-cassandraql, camel-consul, camel-sql (JDBC aggregation repository).
This issue affects Apache Camel: from 4.14.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to a version that contains the CAMEL-23372 fix once available: 4.21.0 for the 4.21.x line, 4.18.3 for the 4.18.x line, and 4.14.8 for the 4.14.x line. For deployments that cannot upgrade immediately, configure a JMS-provider-side allow-list (Apache ActiveMQ Artemis 'deserializationAllowList' / 'deserializationDenyList', Apache ActiveMQ Classic 'org.apache.activemq.SERIALIZABLE_PACKAGES') as the primary mitigation, and/or override the in-code default via the endpoint-level 'deserializationFilter' option or the JVM-wide '-Djdk.serialFilter' system property with an explicit deny: '!java.net.**;java.**;javax.**;org.apache.camel.**;!*' (or '!java.net.**;java.**;org.apache.camel.**;!*' for the aggregation-repository components, which do not include javax.**).
Published: 2026-07-06
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Deserialization of untrusted data in Apache Camel allows an attacker who can supply a serialized Java object to a Camel consumer to trigger DNS queries. The default ObjectInputFilter permits classes such as java.net.URL, which perform network I/O during hashCode or readObject. When a HashMap containing these classes is deserialized, the JVM contacts domain names supplied in the payload, leaking which hosts were queried to an attacker‑controlled DNS server. This results in a side‑channel that can disclose network information about the system and the attacker’s host, without executing arbitrary code. This vulnerability is a deserialization flaw (CWE‑502).

Affected Systems

Apache Camel components shipped before specific patch versions are affected. The vulnerability exists in camel‑jms, camel‑sjms, camel‑amqp, camel‑mina, camel‑netty, camel‑netty‑http, camel‑vertx‑http, camel‑infinispan, and the aggregation‑repository components camel‑leveldb, camel‑cassandraql, camel‑consul, camel‑sql (JDBC aggregation repository). The issue applies to Camel releases 4.14.0 through 4.14.7, 4.15.0 through 4.18.2, and 4.19.0 through 4.20.9. The recommended fixed releases are 4.14.8, 4.18.3, and 4.21.0 respectively.

Risk and Exploitability

The EPSS score is less than 1 %, indicating a very low current probability of exploitation that has been observed. The vulnerability is not listed in the CISA KEV catalog, but it remains a legitimate risk because the attack requires the ability to deliver a serialized payload to a running Camel consumer, a scenario that can arise in applications exposed over JMS, AMQP, or Netty. If the attacker can reach a Camel endpoint, the side‑channel can be used to learn which domain names the application resolves, potentially revealing internal network structure. While the exploitability is restricted to deserialization of untrusted data, the potential impact of information disclosure makes it important to address promptly.

Generated by OpenCVE AI on July 9, 2026 at 12:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched Camel release: 4.14.8 for the 4.14.x line, 4.18.3 for the 4.18.x line, or 4.21.0 for the 4.21.x line.
  • If an upgrade is not possible now, configure the JMS provider to restrict deserialization, such as setting ActiveMQ Artemis 'deserializationAllowList' or Apache ActiveMQ Classic 'org.apache.activemq.SERIALIZABLE_PACKAGES' to a whitelist that excludes java.net.* classes.
  • Override the default filter by setting the Camel endpoint option 'deserializationFilter' or the JVM property '-Djdk.serialFilter' to the explicit deny list '!java.net.;java.;javax.;org.apache.camel.;!*' for general Camel components, or '!java.net.;java.;org.apache.camel.;!*' for aggregation-repository components.
  • Monitor DNS traffic for unexpected queries to identify potential exploitation attempts.

Generated by OpenCVE AI on July 9, 2026 at 12:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache camel
Vendors & Products Apache
Apache camel

Mon, 06 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Apache Camel. The default ObjectInputFilter pattern shipped with several Apache Camel components for defense-in-depth deserialization filtering ('java.**;javax.**;org.apache.camel.**;!*', or the no-'javax.**' variant in the aggregation-repository components) uses a recursive 'java.**' glob that admits classes whose hashCode/equals/readObject methods perform network I/O, notably java.net.URL and java.net.InetAddress. When an attacker can deliver a Java-serialized payload to an affected Camel consumer, deserialization of a HashMap (or any collection that calls hashCode on its elements) containing java.net.URL keys causes the JVM to issue DNS queries to the attacker-supplied host during the deserialization side-effect. The class-level filter check passes because the resulting object's class (HashMap) is allow-listed; the DNS query is observable on an attacker-controlled DNS server, providing an out-of-band side channel. The exposure is highest on the camel-jms family because JmsBinding.extractBodyFromJms invokes ObjectMessage.getObject() unconditionally when mapJmsMessage=true (default). Affected components: camel-jms, camel-sjms, camel-amqp, camel-mina, camel-netty, camel-netty-http, camel-vertx-http, camel-infinispan, and the aggregation repository components camel-leveldb, camel-cassandraql, camel-consul, camel-sql (JDBC aggregation repository). This issue affects Apache Camel: from 4.14.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to a version that contains the CAMEL-23372 fix once available: 4.21.0 for the 4.21.x line, 4.18.3 for the 4.18.x line, and 4.14.8 for the 4.14.x line. For deployments that cannot upgrade immediately, configure a JMS-provider-side allow-list (Apache ActiveMQ Artemis 'deserializationAllowList' / 'deserializationDenyList', Apache ActiveMQ Classic 'org.apache.activemq.SERIALIZABLE_PACKAGES') as the primary mitigation, and/or override the in-code default via the endpoint-level 'deserializationFilter' option or the JVM-wide '-Djdk.serialFilter' system property with an explicit deny: '!java.net.**;java.**;javax.**;org.apache.camel.**;!*' (or '!java.net.**;java.**;org.apache.camel.**;!*' for the aggregation-repository components, which do not include javax.**).
Title Apache Camel: Permissive default ObjectInputFilter pattern admits java.net.** and enables DNS-based information disclosure
Weaknesses CWE-502
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-06T18:47:30.650Z

Reserved: 2026-04-28T11:50:34.288Z

Link: CVE-2026-42527

cve-icon Vulnrichment

Updated: 2026-07-06T09:25:03.913Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T12:45:05Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data