8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-47410

GHSA ID

GHSA-gjp8-99fv-cgcw

EPSS Score

0.00545%

CWE

CWE-352

Published

10/18/2025

Updated

10/20/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-47410

CVE-2025-47410: Apache Geode: CSRF attacks through GET requests to the Management and Monitoring REST API that can execute gfsh commands on the target system

Apache Geode is vulnerable to CSRF attacks through GET requests to the Management and Monitoring REST API that could allow an attacker who has tricked a user into giving up their Geode session credentials to submit malicious commands on the target system on behalf of the authenticated user.

This issue affects Apache Geode: versions 1.10 through 1.15.1

Users are recommended to upgrade to version 1.15.2, which fixes the issue.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-47410

GHSA ID

GHSA-gjp8-99fv-cgcw

EPSS Score

0.00545%

CWE

CWE-352

Published

10/18/2025

Updated

10/20/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.geode:geode-web	maven	>= 1.10.0, < 1.15.2	1.15.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability described is a Cross-Site Request Forgery (CSRF) in the Apache Geode Management and Monitoring REST API. The provided commit 570990909e6fd1e491f01471ad30ee3c2dbff72c directly addresses this issue. The patch modifies the ShellCommandsController.java file, specifically changing the @RequestMapping annotation for the command method. Previously, the endpoint /management/commands accepted both GET and POST requests. The patch removes RequestMethod.GET, restricting the endpoint to only RequestMethod.POST. This is a standard and effective mitigation for CSRF vulnerabilities, as it prevents attackers from executing commands through malicious URLs that trigger GET requests. Therefore, the command function within the ShellCommandsController is the vulnerable function, as it was the entry point for the CSRF attack.

Vulnerable functions

org.apache.geode.management.internal.web.controllers.ShellCommandsController.command

geode-web/src/main/java/org/apache/geode/management/internal/web/controllers/ShellCommandsController.java

The `command` function was vulnerable to Cross-Site Request Forgery (CSRF) because it accepted GET requests. An attacker could craft a malicious URL that, when clicked by an authenticated user, would execute arbitrary commands on the Geode system. The patch mitigates this by restricting the endpoint to only accept POST requests, which prevents simple CSRF attacks via malicious links.

WAF Protection Rules

WAF Rule

*p**** **o** is vuln*r**l* to *SR* *tt**ks t*rou** **T r*qu*sts to t** M*n***m*nt *n* Monitorin* R*ST *PI t**t *oul* *llow *n *tt**k*r w*o **s tri*k** * us*r into *ivin* up t**ir **o** s*ssion *r***nti*ls to su*mit m*li*ious *omm*n*s on t** t*r**t sy

Reasoning

T** vuln*r**ility **s*ri*** is * *ross-Sit* R*qu*st *or**ry (*SR*) in t** *p**** **o** M*n***m*nt *n* Monitorin* R*ST *PI. T** provi*** *ommit `****************************************` *ir**tly ***r*ss*s t*is issu*. T** p*t** mo*i*i*s t** `S**ll*omm

8.8

Basic Information

Concerned about an active attack path?

CVE-2025-47410: Apache Geode: CSRF attacks through GET requests to the Management and Monitoring REST API that can execute gfsh commands on the target system

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI