Apache Geode deserialization of untrusted data flaw when using REST API on Java 8 or Java 11
Description
Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling "validate-serializable-objects=true" and specifying any user classes that may be serialized/deserialized with "serializable-object-filter". Enabling "validate-serializable-objects" may impact performance.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Geode before 1.15.0 deserializes untrusted data via REST API on Java 8/11, risking remote code execution.
Vulnerability
Overview Apache Geode versions prior to 1.15.0 contain a deserialization of untrusted data flaw when the REST API is used on Java 8 or Java 11 [1]. This vulnerability arises because the REST endpoint deserializes user-supplied data without adequate validation, allowing an attacker to craft malicious serialized objects that are then processed by the server.
Exploitation
Prerequisites An attacker must have network access to the Geode REST API endpoint and be able to send serialized Java objects. No authentication is mentioned as a prerequisite, meaning unauthenticated remote attackers may exploit this flaw. The vulnerability is present only when running on Java 8 or Java 11.
Impact
Successful exploitation could allow an attacker to execute arbitrary code in the context of the Geode process, leading to full system compromise, data exfiltration, or service disruption.
Mitigation
Users should upgrade to Apache Geode 1.15.0 or later and follow the documentation to enable the 'validate-serializable-objects=true' setting and specify allowed serializable classes via 'serializable-object-filter' [1]. Note that enabling validation may impact performance.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.geode:geode-coreMaven | < 1.15.0 | 1.15.0 |
Affected products
2- Apache Software Foundation/Apache Geodev5Range: Apache Geode
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-72x9-48mc-phh6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-37023ghsaADVISORY
- lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn76gxbbfjghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.