Apache Geode security advisories

Security information for Apache Geode

Reporting

Do you want disclose a potential security issue for Apache Geode? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

CSRF attacks through GET requests to the Management and Monitoring REST API that can execute gfsh commands on the target system

CVE-2025-47410 [CVE] [CVE json] [OSV json]

Last updated: 2025-10-18T15:15:07.664Z

Affected

  • Apache Geode from 1.10.0 before 1.15.2

Description

Apache Geode is vulnerable to CSRF attacks through GET requests to the Management and Monitoring REST API that could allow an attacker who has tricked a user into giving up their Geode session credentials to submit malicious commands on the target system on behalf of the authenticated user.

This issue affects Apache Geode: versions 1.10 through 1.15.1

Users are recommended to upgrade to version 1.15.2, which fixes the issue.


References

Credits

  • S. M. Zuhair Zaki (finder)

Reflected XSS

CVE-2024-44088 [CVE] [CVE json] [OSV json]

Last updated: 2025-10-14T14:36:50.748Z

Affected

  • Apache Geode from 1.1.0 before 1.15.2

Description

Malicious script injection (‘Cross-site Scripting’) vulnerability in Apache Geode web-api (REST). This vulnerability allows an attacker that tricks a logged-in user into clicking a specially-crafted link to execute code on the returned page, which could lead to theft of the user’s session information and even account takeover.

This issue affects Apache Geode: all versions prior to 1.15.2

Users are recommended to upgrade to version 1.15.2, which fixes the issue.

References

Credits

  • Nbxiglk (finder)

Apache Geode deserialization of untrusted data flaw when using REST API on Java 8 or Java 11

CVE-2022-37023 [CVE] [CVE json] [OSV json]

Last updated: 2022-08-31T06:58:07.415Z

Affected

  • Apache Geode from Apache Geode before 1.15.0

Description

Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11.

Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling “validate-serializable-objects=true” and specifying any user classes that may be serialized/deserialized with “serializable-object-filter”. Enabling “validate-serializable-objects” may impact performance.

References

Apache Geode deserialization of untrusted data flaw when using JMX over RMI on Java 11

CVE-2022-37022 [CVE] [CVE json] [OSV json]

Last updated: 2022-08-31T06:56:24.123Z

Affected

  • Apache Geode from Apache Geode through 1.12.2

Description

Apache Geode versions up to 1.12.2 and 1.13.2 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 11.

Any user wishing to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15. Use of 1.15 on Java 11 will automatically protect JMX over RMI against deserialization attacks. This should have no impact on performance since it only affects JMX/RMI which Gfsh uses to communicate with the JMX Manager which is hosted on a Locator.

References

Apache Geode deserialization of untrusted data flaw when using JMX over RMI on Java 8.

CVE-2022-37021 [CVE] [CVE json] [OSV json]

Last updated: 2022-08-31T06:54:22.083Z

Affected

  • Apache Geode from Apache Geode through 1.12.5

Description

Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8.

Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11.

If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify “–J=-Dgeode.enableGlobalSerialFilter=true” when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the “serializable-object-filter” configuration option. Using a global serial filter will impact performance.

References

Apache Geode stored Cross-Site Scripting (XSS) via data injection vulnerability in Pulse web application

CVE-2022-34870 [CVE] [CVE json] [OSV json]

Last updated: 2022-10-24T18:09:52.450Z

Affected

  • Apache Geode from Apache Geode through 1.15.0

Description

Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using Pulse web application to view Region entries.

References

Apache Geode log file redaction of sensitive information vulnerability

CVE-2021-34797 [CVE] [CVE json] [OSV json]

Last updated: 2022-06-28T22:46:44.541Z

Affected

  • Apache Geode from Apache Geode through 1.12.4

Description

Apache Geode versions up to 1.12.4 and 1.13.4 are vulnerable to a log file redaction of sensitive information flaw when using values that begin with characters other than letters or numbers for passwords and security properties with the prefix “sysprop-”, “javax.net.ssl”, or “security-”. This issue is fixed by overhauling the log file redaction in Apache Geode versions 1.12.5, 1.13.5, and 1.14.0.

References

Credits

  • Apache Geode would like to thank Aaron Lindsey for reporting this issue.