CVE-2025-66169

Graph-Wrecking Ball: Inside CVE-2025-66169 (Apache Camel Cypher Injection)

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 15, 2026·5 min read·1 visit

Executive Summary (TL;DR)

The camel-neo4j component in Apache Camel versions prior to 4.10.8, 4.14.3, and 4.17.0 used `String.format` to build Cypher queries directly from user input. This allows attackers to inject arbitrary Cypher commands, leading to potential data exfiltration or complete database deletion (DETACH DELETE). The fix involves switching to parameterized queries.

A Cypher Injection vulnerability in Apache Camel's neo4j component allows attackers to manipulate graph database queries via unsanitized string concatenation.

Official Patches

ApacheOfficial Apache Camel Security Advisory
GitHubCommit fixing the vulnerability

Fix Analysis (1)

Technical Appendix

CVSS Score
6.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Probability
0.02%
Top 100% most exploited

Affected Systems

Apache Camel (camel-neo4j component)

Affected Versions Detail

Product
Affected Versions
Fixed Version
Apache Camel
Apache
4.10.0 - 4.10.74.10.8
Apache Camel
Apache
4.14.0 - 4.14.24.14.3
Apache Camel
Apache
4.15.0 - 4.16.04.17.0
AttributeDetail
CWE IDCWE-943 (Cypher Injection)
CVSS v3.16.5 (Medium)
Attack VectorNetwork
EPSS Score0.00018 (0.04%)
ImpactData Deletion, Manipulation, Exfiltration
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1059Command and Scripting Interpreter
Execution
T1485Data Destruction
Impact
CWE-943
Improper Neutralization of Special Elements in Data Query Logic

Improper Neutralization of Special Elements in Data Query Logic (Cypher Injection)

Known Exploits & Detection

HypotheticalPayload: '}) WITH 1 AS dummy MATCH (n) DETACH DELETE n //'

Vulnerability Timeline

Fix commits pushed to Apache Camel repository
2025-11-24
Discussed on OSS-Security mailing list
2026-01-13
CVE Published and Advisory Released
2026-01-14

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.