Impact
The vulnerability arises from the camel‑netty‑http consumer's muteException option, which by default is false. When a route processing error occurs, the consumer writes the full Java stack trace to the HTTP response body, exposing credentials, host names, file paths, and other internal details. This corresponds to CWE‑209: Exposure of Sensitive Information.
Affected Systems
Affected product: Apache Camel, Netty HTTP component. Versions from 4.0.0 up to before 4.14.8, from 4.15.0 up to before 4.18.3, and from 4.19.0 up to before 4.21.0 are impacted. Users on the 4.14.x LTS stream should upgrade to 4.14.8, the 4.18.x stream to 4.18.3, and all others to 4.21.0.
Risk and Exploitability
The EPSS score is below 1%, indicating that the likelihood of a known exploit is low, and the issue is not listed in CISA KEV. Nevertheless, the flaw permits unauthenticated clients to trigger a processing error and receive a detailed stack trace by sending a malformed request or invalid parameter to a reachable Camel Netty HTTP endpoint. This can provide attackers with valuable information for further attacks. The recommended remediation path is to upgrade or enable muteException, thereby reducing the attack surface.
OpenCVE Enrichment