Impact
The vulnerability occurs when inbound NATS message headers are mapped into the Camel Exchange without filtering. A client that can publish to the consumed subject can inject any header, including Camel internal control headers such as CamelHttpUri, CamelFileName, or CamelSqlQuery. These injected headers are copied unchanged onto the Camel message and persist across direct, seda, and vm hops, allowing the attacker to redirect HTTP calls, change file names, or override queries in downstream producers, potentially causing misdirected traffic, data leakage, or processing of malicious queries.
Affected Systems
Apache Camel’s camel‑nats component is affected in versions 4.0.0 up to 4.14.7, 4.15.0 up to 4.18.2, and 4.19.0 up to 4.20.x. The flaw exists when the NATS server supports headers (NATS 2.2+) and is configured without authentication. The issue is fixed in Camel 4.14.8, 4.18.3, and 4.21.0.
Risk and Exploitability
The EPSS score is less than 1%, indicating a low likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The CVSS score is 7.5, indicating high severity. Nevertheless, the attack vector is accessible to any client that can publish to the subscribed NATS subject; with the default NATS server configuration allowing unauthenticated publishing, an attacker can perform the injection remotely. The impact depends on the downstream consumers, but the flaw enables manipulation of critical routing parameters and could lead to significant integrity and availability problems for the impacted system.
OpenCVE Enrichment