Gemfire: Impact of Apache Geode CVEs(CVE-2025-47410,CVE-2024-44088,CVE-2022-34870)
Article ID: 441302
Updated On:
Products
Issue/Introduction
Security scans like the BlackDuck portal can sometimes flag Geode vulnerabilities as Gemfire vulnerabilities.
For example,according to BlackDuck, the underlying Apache Geode 1.15.0 dependency is exposing Gemfire to the following risks:
| Vulnerability ID | BDSA ID | CVSS Score / Severity |
| CVE-2025-47410 | BDSA-2025-14100 | 8.8 (High) |
| CVE-2024-44088 | BDSA-2025-13874 | 6.1 (Medium) |
| CVE-2022-34870 | BDSA-2022-4092 | 5.4 (Medium) |
The remediation advice given by the scanner suggests upgrading to Apache Geode 1.15.3 (Short-Term) or Apache Geode 2.0.1 (Long-Term) to clear these.
Environment
Affected Versions: GemFire versions utilizing codebases corresponding to Apache Geode 1.15.0.
Resolution
After Apache Geode version 1.15.0, Apache Geode and VMware GemFire branched into two distinct products with separate versioning tracks. Upgrading directly to "Apache Geode 1.15.3" or "2.0.1" is not applicable to GemFire.
The remediation path for GemFire customers is as follows:
1) CVE-2022-34870. Fixed in 10.0+
2) CVE-2024-44088. Planned to be fixed in 10.2.5 (June 2026)
3) CVE-2025-47410. Planned to be fixed in 10.2.5 (June 2026)
Note: Target release windows and software delivery dates are subject to change. Please consult the official VMware GemFire Release Notes for the most up-to-date availability information.
Feedback
