CVE-2026-25747
Received Received - Intake
Deserialization Vulnerability in Apache Camel LevelDB Enables RCE

Publication date: 2026-02-23

Last updated on: 2026-02-26

Assigner: Apache Software Foundation

Description
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. An attacker who can write to the LevelDB database files used by a Camel application can inject a crafted serialized Java object that, when deserialized during normal aggregation repository operations, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.5, from 4.15.0 before 4.18.0. Users are recommended to upgrade to version 4.18.0, which fixes the issue. For the 4.10.x LTS releases, users are recommended to upgrade to 4.10.9, while for 4.14.x LTS releases, users are recommended to upgrade to 4.14.5
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-23
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25747
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
apache camel From 4.15.0 (inc) to 4.18.0 (exc)
apache camel From 3.0.0 (inc) to 4.10.9 (exc)
apache camel From 4.11.0 (inc) to 4.14.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "This vulnerability is a deserialization of untrusted data issue in Apache Camel's LevelDB component, specifically in the DefaultLevelDBSerializer class. The class deserializes data from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any filtering or class-loading restrictions."}, {'type': 'paragraph', 'content': 'An attacker who can write to the LevelDB database files can inject a crafted serialized Java object. When this object is deserialized during normal operations, it can lead to arbitrary code execution within the context of the application.'}, {'type': 'paragraph', 'content': 'The root cause is the lack of an ObjectInputFilter or safe deserialization mechanism, allowing malicious payloads to be executed when deserialized.'}] [1, 2]

Impact Analysis

If exploited, this vulnerability allows an attacker with write access to the LevelDB database files to execute arbitrary code within the application context.

This can lead to remote code execution (RCE), potentially compromising the entire system running the vulnerable Apache Camel application.

  • Attackers can inject malicious serialized objects that execute commands or manipulate the system.
  • The vulnerability can be triggered during normal application operations such as recovery of incomplete aggregations or periodic scans.
  • Exploitation requires write access to LevelDB files, which might be possible via shared filesystems or other vulnerabilities.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves checking for unauthorized or malicious modifications to the LevelDB database files used by the Apache Camel application, as exploitation requires write access to these files.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is related to deserialization of crafted Java objects in LevelDB files, monitoring for unexpected file changes or suspicious serialized payloads in the LevelDB database directory is recommended.'}, {'type': 'paragraph', 'content': 'Commands to help detect potential exploitation attempts or presence of malicious payloads include:'}, {'type': 'list_item', 'content': 'Use file integrity monitoring tools or commands like `sha256sum` or `md5sum` on LevelDB files to detect unexpected changes.'}, {'type': 'list_item', 'content': 'List recent changes to LevelDB files with `ls -ltr /path/to/leveldb` or `find /path/to/leveldb -type f -mtime -1` to identify recent modifications.'}, {'type': 'list_item', 'content': "Search for suspicious serialized Java objects or known gadget classes in the LevelDB files using `strings` or `hexdump` commands, e.g., `strings /path/to/leveldb/* | grep -i 'commons-collections'`."}, {'type': 'list_item', 'content': 'Monitor application logs for errors or unusual deserialization activity, especially around aggregation repository operations.'}, {'type': 'paragraph', 'content': 'Note that direct network detection is difficult because the vulnerability is exploited via local file writes and deserialization within the application context.'}] [1]

Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade Apache Camel to a fixed version: 4.10.9 for 4.10.x LTS releases, 4.14.5 for 4.14.x LTS releases, or 4.18.0 for later versions.
  • Restrict write access to the LevelDB database files to trusted processes only, preventing attackers from injecting malicious serialized objects.
  • Remove or upgrade vulnerable gadget libraries such as commons-collections 3.x from the classpath to reduce the risk of gadget chain exploitation.
  • Consider using alternative serializers like JacksonLevelDBSerializer instead of the vulnerable DefaultLevelDBSerializer.
  • Employ network segmentation and isolate systems using LevelDB aggregation repositories to limit exposure.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25747. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart