This advisory from Red Hat Product Security announces a patch release for the Red Hat build of Apache Camel 4.10.7 for Spring Boot that fixes five distinct security vulnerabilities. The fixed issues include: an XXE vulnerability in Eclipse JGit (CVE-2025-4949), which can lead to XML external entity attacks; an authorization bypass in Spring Security core (CVE-2025-41248); an annotation detection vulnerability in Spring Framework core components (CVE-2025-41249); HTTP request smuggling vulnerabilities in Netty HTTP and HTTP2 codecs due to improper parsing of chunk extensions (CVE-2025-58056); and a value substitution vulnerability in the minio-java client XML tag handling (CVE-2025-59952). The advisory classifies the update as Important and recommends applying the patch after all previous relevant updates are installed. No known exploits in the wild have been reported at the time of publication.

The vulnerabilities fixed in this update could allow attackers to bypass authorization controls, exploit XML external entity processing to access or manipulate sensitive data, perform HTTP request smuggling attacks, or substitute values in XML tags leading to potential data manipulation or injection attacks. These issues affect core components used in the Red Hat build of Apache Camel for Spring Boot, potentially impacting applications that rely on these libraries for security and communication. The overall security impact is rated as Important by Red Hat.

A patch release for Red Hat build of Apache Camel 4.10.7 for Spring Boot is available that addresses these vulnerabilities. Users should apply this update after ensuring all previously released relevant errata have been applied. Refer to the official Red Hat advisory RHSA-2025:18028 for detailed instructions on applying the update. No additional mitigation steps are indicated beyond applying the official patch.