Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Blast Radius
ecosystem impact- 4 maven packages depend on org.apache.livy:livy-server (4 direct, 0 indirect)
Ecosystem-wide dependent count for version 0.7.0-incubating.
DescriptionCVE.org
Malicious configuration can lead to unauthorized file access in Apache Livy.
This issue affects Apache Livy 0.7.0 and 0.8.0 when connecting to Apache Spark 3.1 or later.
A request that includes a Spark configuration value supported from Apache Spark version 3.1 can lead to users gaining access to files they do not have permissions to.
For the vulnerability to be exploitable, the user needs to have access to Apache Livy's REST or JDBC interface and be able to send requests with arbitrary Spark configuration values.
Users are recommended to upgrade to version 0.9.0 or later, which fixes the issue.
AnalysisAI
Apache Livy versions 0.7.0 and 0.8.0 contain an improper input validation vulnerability (CWE-20) that allows authenticated users to bypass file access controls by injecting malicious Spark configuration values when connecting to Apache Spark 3.1 or later. An attacker with access to Livy's REST or JDBC interface can craft requests with arbitrary Spark configuration parameters to gain unauthorized access to files they do not have permissions to read or modify. This vulnerability is of moderate severity (CVSS 6.3) but requires valid authentication and is fixed in version 0.9.0 and later.
Technical ContextAI
Apache Livy is an open-source REST/JDBC interface for interacting with Apache Spark clusters. The vulnerability stems from improper sanitization of Spark configuration values passed through the REST and JDBC APIs (CVE-2025-60012 affects cpe:2.3:a:apache:livy:0.7.0 and cpe:2.3:a:apache:livy:0.8.0). The root cause is classified as CWE-20 (Improper Input Validation), indicating that Livy fails to adequately validate or filter Spark configuration parameters before forwarding them to the Spark cluster. Starting with Apache Spark 3.1, new configuration options were introduced that can be abused to manipulate file access permissions or redirect file operations. Since Livy acts as a trusted intermediary between clients and Spark, it should enforce strict whitelisting of permitted configurations; instead, it appears to pass user-supplied configurations directly to Spark without proper validation, allowing attackers to exploit Spark 3.1+ features to circumvent file-level access controls.
RemediationAI
Immediately upgrade Apache Livy to version 0.9.0 or later, which contains the security fix. For users unable to upgrade immediately, restrict access to Livy's REST and JDBC interfaces to a minimum set of trusted authenticated users and use network-level access controls (firewall rules, VPN requirements) to limit exposure to the affected endpoints. Consider deploying a reverse proxy in front of Livy that validates and sanitizes Spark configuration parameters before they reach the application, explicitly blocking any configuration keys that could be abused for file access manipulation. Additionally, review audit logs for any suspicious Spark configuration submissions and validate file access patterns to detect potential unauthorized access attempts. Downgrade Apache Spark to a version prior to 3.1 if operationally feasible, though this is typically not a viable long-term solution given the security and feature improvements in newer Spark versions.
MCPJam Inspector versions 1.4.2 and earlier allow unauthenticated remote code execution through missing authentication i
A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. Rated high severity (CVSS 7.5), this vulnerabilit
Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary
Langflow has a third RCE vulnerability via exec_globals (EPSS 10.0%) allowing inclusion of untrusted code that executes
Sandbox escape in Enclave JavaScript sandbox before 2.11.1. Enclave is designed for safe AI agent code execution — the e
enclave-vm JavaScript sandbox (before 2.7.0) has a critical sandbox escape. When a tool invocation fails, a host-side Er
A remote code execution vulnerability in langchain-ai/langchain (CVSS 10.0). Risk factors: public PoC available. Vendor
n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through craft
Path traversal vulnerability in RAGFlow RAG engine version 0.23.1 allows unauthenticated attackers to read arbitrary fil
WeKnora LLM framework (before 0.2.5) allows authenticated users to inject MCP stdio commands that the server executes as
OS command injection in WeKnora from version 0.2.5 allows authenticated users to execute arbitrary system commands. CVSS
Shell command injection in Nuclio serverless framework before 1.15.20. PoC and patch available.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-208637
GHSA-hm8x-rpgg-7855