This advisory covers the release of HawtIO 4.2.0 for the Red Hat build of Apache Camel 4 GA Release, which includes security fixes for five CVEs. The vulnerabilities addressed are: CVE-2024-52798, a ReDoS vulnerability in path-to-regexp 0.1.x; CVE-2024-12397, an HTTP Cookie Smuggling vulnerability in io.quarkus.http/quarkus-http-core; CVE-2025-22866, a panic caused by partial keys in crypto/x509; CVE-2025-24970, a native crash issue in io.netty/netty-handler's SslHandler due to improper packet validation; and CVE-2024-57699, a potential denial of service via stack exhaustion in json-smart. The advisory does not provide CVSS scores but classifies the update as important. The vendor recommends applying this update after all previous relevant errata have been applied.

The vulnerabilities fixed in this update include denial of service conditions (ReDoS and stack exhaustion), HTTP cookie smuggling which could impact session integrity, native crashes potentially leading to service disruption, and panic conditions in cryptographic key parsing. These issues could affect the security and stability of applications using the affected components. No known exploits in the wild have been reported at the time of this advisory.

Red Hat has released HawtIO 4.2.0 for the Red Hat build of Apache Camel 4 GA Release to address these vulnerabilities. Users should apply this update after ensuring all previously released relevant errata are installed. Detailed update instructions are available at https://access.redhat.com/articles/11258. No additional mitigation steps are indicated by the vendor beyond applying this security update.