Apache Livy Patches Path Traversal and File Access Flaws Exposing Spark Clusters
Ddos 
Apache Livy, the essential bridge that allows web and mobile applications to interact seamlessly with Apache Spark clusters via REST interfaces, has recently addressed two significant security vulnerabilities. These flaws, if left unpatched, could allow attackers to bypass directory restrictions and access sensitive files they shouldn’t be able to see.
For organizations relying on Livy to manage interactive Spark jobs and context management, these “Important” severity ratings serve as a clear signal to prioritize system updates.
The first vulnerability, CVE-2025-60012, highlights a complex interaction between Livy and newer versions of Apache Spark. When Apache Livy (versions 0.7.0 or 0.8.0) is connected to Apache Spark 3.1 or later, a specific configuration weakness emerges.
The flaw allows a user with access to Livy’s REST or JDBC interface to craft a request containing arbitrary Spark configuration values. By leveraging certain values supported since Spark 3.1, an attacker can gain unauthorized access to files on the system, effectively bypassing intended permission levels.
The second issue, CVE-2025-66249, is a classic Path Traversal vulnerability. This flaw impacts a much broader range of versions, stretching back to Apache Livy 0.3.0.
This vulnerability is particularly sneaky because it relies on non-default settings. Specifically, if an administrator has modified the livy.file.local-dir-whitelist configuration to a non-default value, the built-in directory checking mechanism can be bypassed. This failure to properly limit a pathname to its restricted directory could allow an attacker to “traverse” the file system and access sensitive data stored outside of the intended whitelist.
The Apache Livy project has addressed both of these security holes in its latest release. To secure your Spark infrastructure and prevent unauthorized data exposure, users are strongly recommended to upgrade to Apache Livy 0.9.0 or later.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
