CVE-2025-66518: High-Severity Flaw in Apache Kyuubi Exposes Local Server Files

Apache Kyuubi, the distributed gateway designed to provide secure, serverless SQL access to massive data lakes, has patched a high-severity vulnerability that could allow unauthorized access to the server’s local file system. The flaw, tracked as CVE-2025-66518 and rated with a CVSS score of 8.8, effectively renders the system’s directory allow-lists useless against a savvy attacker.

Kyuubi is widely used to lower the barrier for end-users manipulating large-scale data via Spark SQL engines. While its multi-tenant architecture is built to provide “data security” and “resource isolation,” this latest bug punches a hole through those administrative controls.

The vulnerability lies in how the Kyuubi Server handles file paths. Administrators rely on a configuration setting called kyuubi.session.local.dir.allow.list to strictly define which local directories clients are allowed to access. Ideally, this acts as a sandbox, preventing users from straying into sensitive system folders.

However, due to “missing path normalization,” this safety check can be circumvented.

According to the disclosure, “Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config… and use local files which are not listed in the config.”

By exploiting this lack of sanitization, an attacker could potentially read sensitive configuration files or system data residing on the server, violating the platform’s promise of isolation.

The issue impacts a broad range of recent versions, specifically the kyuubi-server component.

Affected Versions: Apache Kyuubi 1.6.0 through 1.10.2.

The Apache Kyuubi community has released a fix to enforce proper path normalization. Administrators are strongly recommended to upgrade their server instances to version 1.10.3 or higher immediately to restore the integrity of their data boundaries.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply