Impact
Apache Camel’s Atmosphere Websocket consumer mistakenly copies every query‑string parameter from a client’s WebSocket request into the Exchange header map without filtering. Because the Camel header namespace is not blocked, an attacker can send specially crafted query parameters that set privileged Camel control headers, most notably CamelHttpUri (Exchange.HTTP_URI). In a route that forwards the Exchange to an HTTP producer, this injected header causes the server to issue a request to an attacker‑chosen URI, enabling server‑side request forgery (SSRF). Additionally, the HTTP producer expands property placeholders on that URI, exposing environment variables, application properties, and vault secrets to the attacker. If the endpoint is unprotected, an unauthenticated remote attacker can leverage this flaw without any additional privileges.
Affected Systems
The vulnerability exists in the Apache Camel Atmosphere Websocket component shipped with Apache Software Foundation’s Camel. Affected releases are 4.0.0 through 4.14.7, 4.15.0 through 4.18.2, and 4.19.0 through 4.20.x. Users of the 4.14.x LTS stream should upgrade to 4.14.8, users of the 4.18.x stream to 4.18.3, and all other users should adopt 4.21.0, which provides a filter that blocks Camel‑header injection.
Risk and Exploitability
Because the exploit is reachable via an unauthenticated WebSocket connection, the risk is significant. The EPSS score is listed as <1 %, indicating a low probability of widespread exploitation at this time, yet the impact of a successful SSRF and the leakage of privileged secrets could be devastating. The vulnerability is not currently listed in the CISA KEV catalog, but its potential rating is high given the remote, unauthenticated attack vector and the ability to compromise internal services or retrieve confidential information. If a user’s environment maintains an unfiltered Bridge from untrusted consumers to HTTP producers, the attack could be executed without any additional access controls.
OpenCVE Enrichment