CVE-2026-42527
Gravedad:
Pendiente de análisis
Tipo:
CWE-502
Deserialización de datos no confiables
Fecha de publicación:
06/07/2026
Última modificación:
06/07/2026
Descripción
*** Pendiente de traducción *** Deserialization of Untrusted Data vulnerability in Apache Camel.<br />
<br />
The default ObjectInputFilter pattern shipped with several Apache Camel components for defense-in-depth deserialization filtering (&#39;java.**;javax.**;org.apache.camel.**;!*&#39;, or the no-&#39;javax.**&#39; variant in the aggregation-repository components) uses a recursive &#39;java.**&#39; glob that admits classes whose hashCode/equals/readObject methods perform network I/O, notably java.net.URL and java.net.InetAddress. When an attacker can deliver a Java-serialized payload to an affected Camel consumer, deserialization of a HashMap (or any collection that calls hashCode on its elements) containing java.net.URL keys causes the JVM to issue DNS queries to the attacker-supplied host during the deserialization side-effect. The class-level filter check passes because the resulting object&#39;s class (HashMap) is allow-listed; the DNS query is observable on an attacker-controlled DNS server, providing an out-of-band side channel. The exposure is highest on the camel-jms family because JmsBinding.extractBodyFromJms invokes ObjectMessage.getObject() unconditionally when mapJmsMessage=true (default). Affected components: camel-jms, camel-sjms, camel-amqp, camel-mina, camel-netty, camel-netty-http, camel-vertx-http, camel-infinispan, and the aggregation repository components camel-leveldb, camel-cassandraql, camel-consul, camel-sql (JDBC aggregation repository).<br />
This issue affects Apache Camel: from 4.14.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.<br />
<br />
Users are recommended to upgrade to a version that contains the CAMEL-23372 fix once available: 4.21.0 for the 4.21.x line, 4.18.3 for the 4.18.x line, and 4.14.8 for the 4.14.x line. For deployments that cannot upgrade immediately, configure a JMS-provider-side allow-list (Apache ActiveMQ Artemis &#39;deserializationAllowList&#39; / &#39;deserializationDenyList&#39;, Apache ActiveMQ Classic &#39;org.apache.activemq.SERIALIZABLE_PACKAGES&#39;) as the primary mitigation, and/or override the in-code default via the endpoint-level &#39;deserializationFilter&#39; option or the JVM-wide &#39;-Djdk.serialFilter&#39; system property with an explicit deny: &#39;!java.net.**;java.**;javax.**;org.apache.camel.**;!*&#39; (or &#39;!java.net.**;java.**;org.apache.camel.**;!*&#39; for the aggregation-repository components, which do not include javax.**).



