Apache Geode security advisories
Security information for Apache Geode
Reporting
Do you want disclose a potential security issue for Apache Geode? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
CSRF attacks through GET requests to the Management and Monitoring REST API that can execute gfsh commands on the target system
CVE-2025-47410 [CVE] [CVE json] [OSV json]
Last updated: 2025-10-18T15:15:07.664Z
Affected
- Apache Geode from 1.10.0 before 1.15.2
Description
Apache Geode is vulnerable to CSRF attacks through GET requests to the Management and Monitoring REST API that could allow an attacker who has tricked a user into giving up their Geode session credentials to submit malicious commands on the target system on behalf of the authenticated user.
This issue affects Apache Geode: versions 1.10 through 1.15.1
Users are recommended to upgrade to version 1.15.2, which fixes the issue.
References
Credits
- S. M. Zuhair Zaki (finder)
Reflected XSS
CVE-2024-44088 [CVE] [CVE json] [OSV json]
Last updated: 2025-10-14T14:36:50.748Z
Affected
- Apache Geode from 1.1.0 before 1.15.2
Description
Malicious script injection (‘Cross-site Scripting’) vulnerability in Apache Geode web-api (REST). This vulnerability allows an attacker that tricks a logged-in user into clicking a specially-crafted link to execute code on the returned page, which could lead to theft of the user’s session information and even account takeover.
This issue affects Apache Geode: all versions prior to 1.15.2
Users are recommended to upgrade to version 1.15.2, which fixes the issue.
References
Credits
- Nbxiglk (finder)
Apache Geode deserialization of untrusted data flaw when using REST API on Java 8 or Java 11
CVE-2022-37023 [CVE] [CVE json] [OSV json]
Last updated: 2022-08-31T06:58:07.415Z
Affected
- Apache Geode from Apache Geode before 1.15.0
Description
Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11.
Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling “validate-serializable-objects=true” and specifying any user classes that may be serialized/deserialized with “serializable-object-filter”. Enabling “validate-serializable-objects” may impact performance.
References
Apache Geode deserialization of untrusted data flaw when using JMX over RMI on Java 11
CVE-2022-37022 [CVE] [CVE json] [OSV json]
Last updated: 2022-08-31T06:56:24.123Z
Affected
- Apache Geode from Apache Geode through 1.12.2
Description
Apache Geode versions up to 1.12.2 and 1.13.2 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 11.
Any user wishing to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15. Use of 1.15 on Java 11 will automatically protect JMX over RMI against deserialization attacks. This should have no impact on performance since it only affects JMX/RMI which Gfsh uses to communicate with the JMX Manager which is hosted on a Locator.
References
Apache Geode deserialization of untrusted data flaw when using JMX over RMI on Java 8.
CVE-2022-37021 [CVE] [CVE json] [OSV json]
Last updated: 2022-08-31T06:54:22.083Z
Affected
- Apache Geode from Apache Geode through 1.12.5
Description
Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8.
Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11.
If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify “–J=-Dgeode.enableGlobalSerialFilter=true” when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the “serializable-object-filter” configuration option. Using a global serial filter will impact performance.
References
Apache Geode stored Cross-Site Scripting (XSS) via data injection vulnerability in Pulse web application
CVE-2022-34870 [CVE] [CVE json] [OSV json]
Last updated: 2022-10-24T18:09:52.450Z
Affected
- Apache Geode from Apache Geode through 1.15.0
Description
Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using Pulse web application to view Region entries.
References
Apache Geode log file redaction of sensitive information vulnerability
CVE-2021-34797 [CVE] [CVE json] [OSV json]
Last updated: 2022-06-28T22:46:44.541Z
Affected
- Apache Geode from Apache Geode through 1.12.4
Description
Apache Geode versions up to 1.12.4 and 1.13.4 are vulnerable to a log file redaction of sensitive information flaw when using values that begin with characters other than letters or numbers for passwords and security properties with the prefix “sysprop-”, “javax.net.ssl”, or “security-”. This issue is fixed by overhauling the log file redaction in Apache Geode versions 1.12.5, 1.13.5, and 1.14.0.
References
- https://lists.apache.org/thread/p4l0g49rzzzpn8yt9q9p0xp52h3zmsmk
- https://lists.apache.org/thread/nq2w9gjzm1cjx1rh6zw41ty39qw7qpx4
Credits
- Apache Geode would like to thank Aaron Lindsey for reporting this issue.