Apache Geode: CSRF attacks through GET requests to the Management and Monitoring REST API that can execute gfsh commands on the target system

Vulnerability

Description

CVE-2025-47410 is a Cross-Site Request Forgery (CSRF) vulnerability in the Management and Monitoring REST API of Apache Geode. The root cause is that the /management/commands endpoint accepted both GET and POST requests [3][4]. This allowed an attacker to craft a malicious GET request that, when clicked by an authenticated user, would execute arbitrary gfsh commands on the target Geode system using the user's session credentials [2][3].

Attack

Vector and Prerequisites

The attack requires tricking an authenticated Geode user into following a crafted link or visiting a malicious page that issues a GET request to the vulnerable endpoint [1][3]. No additional authentication is needed beyond the victim's existing session; the attacker does not need direct network access to the Geode cluster if the user's browser can reach the Management and Monitoring REST API [1]. The vulnerability affects Apache Geode versions 1.10 through 1.15.1 [2][3].

Impact

Successful exploitation allows an attacker to execute any gfsh command that the victim has permission to run, including operations that could modify cluster configuration, delete data, or create new regions [3][4]. The impact is limited by the privileges of the user whose session is hijacked, but an attacker gaining access to an administrative session could achieve full compromise of the Geode cluster [1][2].

Mitigation

The fix is in Apache Geode version 1.15.2, which disallows GET requests to the /management/commands endpoint by changing the @RequestMapping to accept only POST requests [4]. Users should upgrade to version 1.15.2 or apply the equivalent code change [2][3]. No workaround is documented for earlier versions.