CVE-2025-47410
BaseFortify
Publication date: 2025-10-18
Last updated on: 2025-11-04
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | geode | From 1.10.0 (inc) to 1.15.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Apache Geode allows Cross-Site Request Forgery (CSRF) attacks via GET requests to its Management and Monitoring REST API. An attacker who tricks a user into revealing their Geode session credentials can then submit malicious commands on the system, acting as the authenticated user.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow attackers to execute unauthorized commands on the Apache Geode system with the privileges of an authenticated user, potentially leading to unauthorized actions, data manipulation, or system compromise.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade Apache Geode to version 1.15.2, which fixes the CSRF vulnerability. Until the upgrade can be applied, avoid exposing the Management and Monitoring REST API to untrusted networks and ensure users are aware not to share their session credentials.