EUVD-2025-208637
GHSA-hm8x-rpgg-7855
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Description
Malicious configuration can lead to unauthorized file access in Apache Livy. This issue affects Apache Livy 0.7.0 and 0.8.0 when connecting to Apache Spark 3.1 or later. A request that includes a Spark configuration value supported from Apache Spark version 3.1 can lead to users gaining access to files they do not have permissions to. For the vulnerability to be exploitable, the user needs to have access to Apache Livy's REST or JDBC interface and be able to send requests with arbitrary Spark configuration values. Users are recommended to upgrade to version 0.9.0 or later, which fixes the issue.
Analysis
Apache Livy versions 0.7.0 and 0.8.0 contain an improper input validation vulnerability (CWE-20) that allows authenticated users to bypass file access controls by injecting malicious Spark configuration values when connecting to Apache Spark 3.1 or later. An attacker with access to Livy's REST or JDBC interface can craft requests with arbitrary Spark configuration parameters to gain unauthorized access to files they do not have permissions to read or modify. This vulnerability is of moderate severity (CVSS 6.3) but requires valid authentication and is fixed in version 0.9.0 and later.
Technical Context
Apache Livy is an open-source REST/JDBC interface for interacting with Apache Spark clusters. The vulnerability stems from improper sanitization of Spark configuration values passed through the REST and JDBC APIs (CVE-2025-60012 affects cpe:2.3:a:apache:livy:0.7.0 and cpe:2.3:a:apache:livy:0.8.0). The root cause is classified as CWE-20 (Improper Input Validation), indicating that Livy fails to adequately validate or filter Spark configuration parameters before forwarding them to the Spark cluster. Starting with Apache Spark 3.1, new configuration options were introduced that can be abused to manipulate file access permissions or redirect file operations. Since Livy acts as a trusted intermediary between clients and Spark, it should enforce strict whitelisting of permitted configurations; instead, it appears to pass user-supplied configurations directly to Spark without proper validation, allowing attackers to exploit Spark 3.1+ features to circumvent file-level access controls.
Affected Products
Apache Livy versions 0.7.0 and 0.8.0 are affected when connected to Apache Spark 3.1 or later (cpe:2.3:a:apache:livy:0.7.0 and cpe:2.3:a:apache:livy:0.8.0). Version 0.9.0 and all subsequent releases contain the fix. The vulnerability is specific to the combination of these Livy versions with Spark 3.1+; users running Livy with earlier Spark versions are not exposed to this issue despite running vulnerable Livy code. Consult the Apache Livy security advisory for detailed CVE information and upgrade guidance.
Remediation
Immediately upgrade Apache Livy to version 0.9.0 or later, which contains the security fix. For users unable to upgrade immediately, restrict access to Livy's REST and JDBC interfaces to a minimum set of trusted authenticated users and use network-level access controls (firewall rules, VPN requirements) to limit exposure to the affected endpoints. Consider deploying a reverse proxy in front of Livy that validates and sanitizes Spark configuration parameters before they reach the application, explicitly blocking any configuration keys that could be abused for file access manipulation. Additionally, review audit logs for any suspicious Spark configuration submissions and validate file access patterns to detect potential unauthorized access attempts. Downgrade Apache Spark to a version prior to 3.1 if operationally feasible, though this is typically not a viable long-term solution given the security and feature improvements in newer Spark versions.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today