oss-security - CVE-2025-66249: Apache Livy: Unauthorized directory access

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <9c967c49-30aa-ba43-d60d-59623e4b8243@apache.org>
Date: Thu, 12 Mar 2026 16:41:49 +0000
From: György Gál <ggal@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-66249: Apache Livy: Unauthorized directory access 

Severity: important 

Affected versions:

- Apache Livy (org.apache.livy:livy-server) 0.3.0-incubating before 0.9.0-incubating

Description:

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy.

This issue affects Apache Livy: from 0.3.0 before 0.9.0.

The vulnerability can only be exploited with non-default Apache Livy Server settings. If the configuration value "livy.file.local-dir-whitelist" is set to a non-default value, the directory checking can be bypassed.

Users are recommended to upgrade to version 0.9.0, which fixes the issue.

Credit:

Hiroki Egawa (finder)

References:

https://livy.incubator.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-66249

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.