oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-66249: Apache Livy: Unauthorized directory access

From: György Gál <ggal () apache org>
Date: Thu, 12 Mar 2026 16:41:49 +0000
Severity: important 

Affected versions:

- Apache Livy (org.apache.livy:livy-server) 0.3.0-incubating before 0.9.0-incubating

Description:

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy.

This issue affects Apache Livy: from 0.3.0 before 0.9.0.

The vulnerability can only be exploited with non-default Apache Livy Server settings. If the configuration value 
"livy.file.local-dir-whitelist" is set to a non-default value, the directory checking can be bypassed.

Users are recommended to upgrade to version 0.9.0, which fixes the issue.

Credit:

Hiroki Egawa (finder)

References:

https://livy.incubator.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-66249
Previous By Date Next
Previous By Thread Next

Current thread: