anonhaven
Ad

CVE-2025-66249

MEDIUM CVSS 3.1: 6.3 EPSS 0.03%
Updated Mar 16, 2026
Apache
Parameter Value
CVSS 6.3 (MEDIUM)
Affected Versions before 0.9.0.
Fixed In 0.9.0
Type CWE-22 (Path Traversal)
Vendor Apache
Public PoC No

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy. This issue affects Apache Livy: from 0.3.0 before 0.9.0. The vulnerability can only be exploited with non-default Apache Livy Server settings.

If the configuration value "livy.file.local-dir-whitelist" is set to a non-default value, the directory checking can be bypassed. Users are recommended to upgrade to version 0.9.0, which fixes the issue.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
Low
Partial disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-22 Path Traversal

References 2

https://lists.apache.org/thread/1xwphsfn4jbtym4k4o0zlvwfogwqwwc3
security@apache.org
http://www.openwall.com/lists/oss-security/2026/03/12/2
af854a3a-2127-422b-91ae-364da2661108
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-27811

Apache

8.8

CVE-2025-54920

Apache

8.8

CVE-2016-20026

Apache

9.3

CVE-2026-23941

Apache

7.0

CVE-2025-60012

Apache

6.3