Red Hat Security Advisory: HawtIO 4.4.0 for Red Hat build of Apache Camel 4 Release and security update.
🔗 CVE IDs covered (23)
📋 Description
CVE-2025-13465 — lodash: prototype pollution in _.unset and _.omit functions CVE-2025-61726 — golang: net/url: Memory exhaustion in query parameter parsing in net/url CVE-2025-61729 — crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate CVE-2026-1002 — io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files CVE-2026-1605 — org.eclipse.jetty/jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests CVE-2026-2332 — org.eclipse.jetty/jetty-http: HTTP request smuggling via chunked extension quoted-string parsing CVE-2026-5795 — org.eclipse.jetty.ee10/jetty-ee10: early return from the JASPIAuthenticator class without clearing ThreadLocal variables CVE-2026-6321 — fast-uri: fast-uri: Path traversal vulnerability allows bypass of security policies CVE-2026-22731 — Spring Boot: Spring Boot: Authentication bypass via misconfigured Health Group additional path CVE-2026-32280 — crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building CVE-2026-32281 — crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation CVE-2026-32282 — golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root CVE-2026-33810 — crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application CVE-2026-39852 — io.quarkus:quarkus-vertx-http: io.quarkus:quarkus-vertx-http: Authorization bypass via semicolons in HTTP requests CVE-2026-40972 — Spring Boot: Spring Boot: Remote code execution via timing attack in DevTools remote secret comparison CVE-2026-40973 — Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory CVE-2026-40975 — Spring Boot: Spring Boot: Weak pseudo-random number generation can lead to information disclosure. CVE-2026-42033 — axios: Axios: HTTP Transport Hijacking via Prototype Pollution CVE-2026-42035 — axios: Axios: Arbitrary HTTP header injection via prototype pollution CVE-2026-42039 — axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data CVE-2026-42041 — axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling CVE-2026-42043 — axios: Axios: NO_PROXY bypass via crafted URL CVE-2026-42044 — axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget