DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-66169: Graph-Wrecking Ball: Inside CVE-2025-66169 (Apache Camel Cypher Injection)

#security #cve #cybersecurity

Graph-Wrecking Ball: Inside CVE-2025-66169 (Apache Camel Cypher Injection)

Vulnerability ID: CVE-2025-66169
CVSS Score: 6.5
Published: 2026-01-14

A Cypher Injection vulnerability in Apache Camel's neo4j component allows attackers to manipulate graph database queries via unsanitized string concatenation.

TL;DR

The camel-neo4j component in Apache Camel versions prior to 4.10.8, 4.14.3, and 4.17.0 used String.format to build Cypher queries directly from user input. This allows attackers to inject arbitrary Cypher commands, leading to potential data exfiltration or complete database deletion (DETACH DELETE). The fix involves switching to parameterized queries.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-943 (Cypher Injection)
  • CVSS v3.1: 6.5 (Medium)
  • Attack Vector: Network
  • EPSS Score: 0.00018 (0.04%)
  • Impact: Data Deletion, Manipulation, Exfiltration
  • KEV Status: Not Listed

Affected Systems

  • Apache Camel (camel-neo4j component)
  • Apache Camel: 4.10.0 - 4.10.7 (Fixed in: 4.10.8)
  • Apache Camel: 4.14.0 - 4.14.2 (Fixed in: 4.14.3)
  • Apache Camel: 4.15.0 - 4.16.0 (Fixed in: 4.17.0)

Code Analysis

Commit: 66715d3

Primary fix implementing parameterization for Neo4j queries

- query = String.format("CREATE (%s:%s %s)", alias, label, body);
+ query = String.format("CREATE (%s:%s $props)", alias, label);
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Hypothetical: Payload: '}) WITH 1 AS dummy MATCH (n) DETACH DELETE n //'

Mitigation Strategies

  • Input Parameterization (Primary Fix)
  • Strict Input Validation/Sanitization
  • Database Least Privilege
  • WAF Filtering

Remediation Steps:

  1. Identify all Camel routes using the neo4j component.
  2. Check the Camel version. If it is within 4.10.0-4.10.7, 4.14.0-4.14.2, or 4.15.x-4.16.x, you are vulnerable.
  3. Update dependencies to 4.10.8, 4.14.3, or 4.17.0 immediately.
  4. If update is impossible, implement a Processor before the Neo4j endpoint that validates the message body is strictly valid JSON and contains no Cypher keywords.

References

Read the full report for CVE-2025-66169 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)