EUVD-2025-208639
GHSA-h84f-4ff9-8hc3
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy. This issue affects Apache Livy: from 0.3.0 before 0.9.0. The vulnerability can only be exploited with non-default Apache Livy Server settings. If the configuration value "livy.file.local-dir-whitelist" is set to a non-default value, the directory checking can be bypassed. Users are recommended to upgrade to version 0.9.0, which fixes the issue.
Analysis
Apache Livy versions 0.3.0 through 0.8.x contain a path traversal vulnerability (CWE-22) that allows authenticated attackers to bypass directory restrictions and access files outside intended whitelist boundaries. The vulnerability only manifests when the 'livy.file.local-dir-whitelist' configuration parameter is set to a non-default value, enabling attackers with valid credentials to read, write, or execute arbitrary files on the server. With a CVSS score of 6.3 (moderate severity) reflecting the requirement for authenticated access and limited impact scope, this vulnerability warrants prioritization for organizations using Livy in multi-tenant or untrusted user environments.
Technical Context
Apache Livy is an open-source REST API and Web UI for submitting and managing Apache Spark applications. The vulnerability resides in the file path validation logic for the 'livy.file.local-dir-whitelist' configuration parameter, which is intended to restrict file access to specific directories. The root cause is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a class of path traversal vulnerabilities where insufficient canonicalization or validation of file paths allows attackers to escape intended directory boundaries using techniques such as '../' sequences or symbolic links. The issue affects Apache Livy CPE strings: cpe:2.3:a:apache:livy:*:*:*:*:*:*:*:* for versions 0.3.0 through 0.8.x. The vulnerability is specific to configurations where administrators have explicitly customized the whitelist setting, suggesting this is a regression or edge-case handling failure in the directory checking mechanism.
Affected Products
Apache Livy versions 0.3.0 through 0.8.x (inclusive) are affected by this vulnerability. The vulnerability has been assigned CVE-2025-66249 and affects the product identified by CPE cpe:2.3:a:apache:livy. Version 0.9.0 and later contain the corrective fix. Users should consult the official Apache Livy security advisory and release notes at https://livy.apache.org/ for confirmation of patch availability and upgrade procedures specific to their deployment environment.
Remediation
Upgrade Apache Livy to version 0.9.0 or later, which contains the corrective patch for the path traversal vulnerability. This is the primary and recommended mitigation. For organizations unable to upgrade immediately, implement compensating controls by reverting 'livy.file.local-dir-whitelist' to its default value (which is not vulnerable), thereby disabling custom directory whitelisting until patches can be applied. Additionally, restrict network access to the Livy REST API to trusted internal networks or VPN ranges, enforce strong authentication credentials for all Livy users, and consider running Livy with minimal filesystem permissions to limit the impact of potential directory traversal exploitation. Monitor Livy logs for suspicious file access patterns or requests containing path traversal sequences ('../'). Consult the Apache Livy project security page at https://livy.apache.org/security/ for vendor advisories and coordinate with your deployment platform (Hadoop, Spark, cloud provider) for integration guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today