CVE-2025-47410 — Apache Geode: CSRF attacks through GET requests to the Management and Monitoring

Description

Apache Geode is vulnerable to CSRF attacks through GET requests to the Management and Monitoring REST API that could allow an attacker who has tricked a user into giving up their Geode session credentials to submit malicious commands on the target system on behalf of the authenticated user. This issue affects Apache Geode: versions 1.10 through 1.15.1 Users are recommended to upgrade to version 1.15.2, which fixes the issue.

How to fix CVE-2025-47410

To remediate CVE-2025-47410, upgrade the affected package to a fixed version below.

—upgrade to 1.15.2 or later

Is CVE-2025-47410 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.10.0, < 1.15.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-47410
PATCHgithub.com/apache/geode
WEBgithub.com/apache/geode/commit/570990909e6fd1e491f01471ad30ee3c2dbff72c
WEBlists.apache.org/thread/k88tv3rhl4ymsvt4h6qsv7sq10q5prrt
WEB