CVE-2025-47410

Published Oct 18, 2025

Last updated 6 months ago

CVSS high 8.8

Overview

Description
Apache Geode is vulnerable to CSRF attacks through GET requests to the Management and Monitoring REST API that could allow an attacker who has tricked a user into giving up their Geode session credentials to submit malicious commands on the target system on behalf of the authenticated user. This issue affects Apache Geode: versions 1.10 through 1.15.1 Users are recommended to upgrade to version 1.15.2, which fixes the issue.
Source
security@apache.org
NVD status
Analyzed
Products
geode

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

security@apache.org
CWE-352

Social media

Hype score
Not currently trending

  1. 🛡️ Cyber Threat Digest – 2025-10-19 KEV: CVE-2025-54253 — Adobe Experience Manager Forms NVD: CVE-2025-47410 — Apache Geode is vulnerable News: OpenAI confirms GPT-6 is not shipping… #cybersecurity #infosec #CVE More: https://t.co/J1fpKfnDnv

    @dpharristech

    19 Oct 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-47410 Apache Geode is vulnerable to CSRF attacks through GET requests to the Management and Monitoring REST API that could allow an attacker who has tricked a user into giv… https://t.co/pLZwOLbrob

    @CVEnew

    18 Oct 2025

    648 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-47410 CVE-2025-47410 https://t.co/kZI7nEegsQ

    @VulmonFeeds

    17 Oct 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-47410: Apache Geode: CSRF attacks through GET requests to the Management and Monitoring REST API that can execute gfsh commands on the target system https://t.co/C7CpNLwSka

    @oss_security

    17 Oct 2025

    162 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Malicious script injection ('Cross-site Scripting') vulnerability in Apache Geode web-api (REST). This vulnerability allows an attacker that tricks a logged-in user into clicking a specially-crafted link to execute code on the returned page, which could lead to theft of the user's session information and even account takeover. This issue affects Apache Geode: all versions prior to 1.15.2 Users are recommended to upgrade to version 1.15.2, which fixes the issue.CVE-2024-44088
  2. Apache Tomcat Improper Privilege Management VulnerabilityCVE-2020-1938
  3. Docker Desktop Community Edition Privilege Escalation VulnerabilityCVE-2019-15752

References

Sources include official advisories and independent security research.