CVE-2025-66169: Apache Camel Neo4j Cypher Injection Enables Unauthorized Graph Manipulation

Aegiron 9 mins0

CVE-2025-66169 — Apache Camel (camel-neo4j) — Cypher Injection

CVE Identifier: CVE-2025-66169
Vulnerability Type: Cypher Injection
Severity: Medium
CVSS Score: Medium (vendor-rated)
Affected Component: Apache Camel — camel-neo4j
Backend Database: Neo4j

Affected Versions

  • Apache Camel 4.10.0 → 4.10.7
  • Apache Camel 4.14.0 → 4.14.2
  • Apache Camel 4.15.0 → 4.16.x

Fixed Versions

  • Apache Camel 4.10.8
  • Apache Camel 4.14.3
  • Apache Camel 4.17.0 and later

Executive Summary

CVE-2025-66169 is a Cypher Injection vulnerability in Apache Camel’s Neo4j integration module (camel-neo4j).
The flaw allows untrusted input to be embedded directly into Cypher queries, enabling attackers to alter query logic if they can influence message content processed by Camel routes.

While the vulnerability is rated as Medium, its real-world impact can escalate significantly depending on:

  • How Camel routes are exposed
  • How Cypher queries are constructed
  • What privileges the Neo4j service account holds

This vulnerability is structural, not configuration-specific. If unsafe query construction is used, the risk exists regardless of perimeter defenses.

Technical Background

Apache Camel is commonly used to connect systems using message-based routing. The camel-neo4j component allows Camel routes to execute Cypher queries against Neo4j databases.

Cypher is a declarative graph query language used to:

  • Match nodes and relationships
  • Filter graph paths
  • Create, update, and delete graph data
  • Execute stored procedures

Cypher Injection occurs when query structure and user data are not separated.

Root Cause Analysis

The vulnerability arises when Camel routes:

  • Construct Cypher queries dynamically
  • Use string concatenation or templating
  • Accept input from external or semi-trusted sources
  • Fail to use parameterized Cypher queries

Unsafe pattern:

"MATCH (n {id:'" + input + "'}) RETURN n"

In this pattern, any value supplied in input becomes part of the query syntax.

The database engine cannot distinguish between:

  • Intended query logic
  • Injected attacker logic

Why This Is Dangerous in Graph Databases

Graph databases differ from relational databases in that:

  • Queries often traverse large portions of the graph
  • A single query can touch many nodes and relationships
  • Deletion operations (DETACH DELETE) can cascade

This means that even a small injection can result in:

  • Large-scale data exposure
  • Broad data deletion
  • Logical corruption of graph relationships

Exploitability Conditions

An attacker can exploit this vulnerability when all of the following are true:

  1. A vulnerable Camel version is in use
  2. A Camel route executes Cypher queries dynamically
  3. External input reaches the query builder
  4. Queries are not parameterized
  5. The Neo4j account has read or write privileges

There is no public exploit or weaponized PoC at this time. However, exploitation does not require advanced techniques and can be manually crafted.

Proof-of-Concept Examples (Educational Only)

Example 1: Query Expansion

Intended query:

MATCH (u:User {username:'INPUT'}) RETURN u

Injected input:

admin'}) RETURN u MATCH (n) //

Resulting behavior:

  • Original filter bypassed
  • Entire graph queried

Example 2: Data Destruction

Injected input:

test'}) DETACH DELETE n //

Potential outcome:

  • Nodes and relationships removed
  • Permanent graph damage

These examples demonstrate why Cypher Injection is considered a high-risk pattern despite a medium CVSS score.

Potential Impact

If exploited, attackers may:

  • Access sensitive graph data
  • Enumerate internal relationships
  • Modify or delete nodes
  • Bypass authorization logic implemented in queries
  • Corrupt application behavior dependent on graph integrity

Impact severity depends on:

  • Neo4j permissions
  • Application architecture
  • Data sensitivity

MITRE Mapping

  • CWE-89: Improper Neutralization of Special Elements used in a Query Language
  • ATT&CK Techniques (Contextual):
    • Exploit Public-Facing Application
    • Data Manipulation
    • Data Destruction

Detection Strategy

Log Sources to Collect

  • Apache Camel application logs
  • Neo4j query execution logs
  • API gateway logs
  • HTTP request logs
  • Message broker logs
  • Centralized SIEM

Indicators of Compromise

  • Cypher keywords in user-supplied input
  • Queries containing unexpected MATCH, CALL, or DELETE clauses
  • Graph write/delete activity from read-only services
  • Queries that differ from known templates
  • Sudden spikes in Neo4j write operations

SIEM Detection Rules

Rule 1: Cypher Keyword Injection

(MATCH\s*\(|RETURN\s+|CALL\s+\w+|DETACH\s+DELETE|CREATE\s*\()

Use on:

  • Neo4j query logs
  • Application debug logs

Rule 2: Input Context Escape

('|\")\s*(OR|AND)\s*('|\")

Use on:

  • HTTP request bodies
  • API parameters
  • Message payloads

Rule 3: Splunk Query

index=app_logs OR index=neo4j_logs
| regex _raw="(?i)(MATCH|RETURN|CALL|DETACH DELETE)"
| stats count by host, user, request_id

Rule 4: Elastic (KQL)

message : /(?i)(MATCH\s*\(|CALL\s+|DETACH\s+DELETE)/

Rule 5: Sigma-Style Rule

title: Apache Camel Neo4j Cypher Injection Attempt
logsource:
  category: application
detection:
  keywords:
    - MATCH
    - RETURN
    - CALL
    - DETACH DELETE
  condition: keywords
level: high

False Positive Reduction

  • Scope rules to Neo4j-using services only
  • Correlate request logs with query logs
  • Compare against known safe query templates
  • Baseline normal query patterns

Prevention and Hardening

  • Always use parameterized Cypher queries
  • Avoid string concatenation in Camel routes
  • Validate and sanitize external input
  • Apply least-privilege Neo4j credentials
  • Enable Neo4j query logging
  • Monitor graph write operations

Remediation

Upgrade Apache Camel immediately to a patched version:

  • 4.10.8+
  • 4.14.3+
  • 4.17.0+

Official advisory and upgrade instructions:
https://camel.apache.org/security/CVE-2025-66169.html

Operational Guidance for SOC Teams

  • Inventory all services using camel-neo4j
  • Identify externally exposed routes
  • Enable enhanced logging temporarily post-upgrade
  • Review Neo4j write activity history
  • Rotate credentials if suspicious activity is detected

Final Takeaway

CVE-2025-66169 is a classic injection vulnerability in an integration framework. While not rated critical, it can have severe consequences in environments where Camel routes interact with sensitive or highly connected graph data.

The absence of public exploits should not be treated as safety. Injection vulnerabilities are frequently exploited shortly after disclosure.

Upgrading and validating query construction is mandatory.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.