CVE-2025-66249 - Vulnerability Details - OpenCVE

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy. This issue affects Apache Livy: from 0.3.0 before 0.9.0. The vulnerability can only be exploited with non-default Apache Livy Server settings. If the configuration value "livy.file.local-dir-whitelist" is set to a non-default value, the directory checking can be bypassed. Users are recommended to upgrade to version 0.9.0, which fixes the issue.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://lists.apache.org/thread/1xwphsfn4jbtym4k4o0zlvwfogwqwwc3

History

Fri, 13 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy. This issue affects Apache Livy: from 0.3.0 before 0.9.0. The vulnerability can only be exploited with non-default Apache Livy Server settings. If the configuration value "livy.file.local-dir-whitelist" is set to a non-default value, the directory checking can be bypassed. Users are recommended to upgrade to version 0.9.0, which fixes the issue.
Title		Apache Livy: Unauthorized directory access
Weaknesses		CWE-22
References		https://lists.apache.org/thread/1xwphsfn4jbtym4k4o0zlvwfogwqwwc3

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-03-13T15:21:53.722Z

Updated: 2026-03-13T16:13:45.211Z

Reserved: 2025-11-25T20:04:17.179Z

Link: CVE-2025-66249

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-66249", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-11-25T20:04:17.179Z", "datePublished": "2026-03-13T15:21:53.722Z", "dateUpdated": "2026-03-13T16:13:45.211Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.livy:livy-server", "product": "Apache Livy", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "0.9.0-incubating", "status": "affected", "version": "0.3.0-incubating", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Hiroki Egawa"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy.</p><p>This issue affects Apache Livy: from 0.3.0 before 0.9.0.</p><p>The vulnerability can only be exploited with non-default Apache Livy Server settings. If the configuration value \"livy.file.local-dir-whitelist\" is set to a non-default value, the directory checking can be bypassed.</p><p>Users are recommended to upgrade to version 0.9.0, which fixes the issue.</p>"}], "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy.\n\nThis issue affects Apache Livy: from 0.3.0 before 0.9.0.\n\nThe vulnerability can only be exploited with non-default Apache Livy Server settings. If\u00a0the configuration value \"livy.file.local-dir-whitelist\" is set to a non-default value, the directory checking can be bypassed.\n\nUsers are recommended to upgrade to version 0.9.0, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-03-13T15:21:53.722Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/1xwphsfn4jbtym4k4o0zlvwfogwqwwc3"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Livy: Unauthorized directory access", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/12/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-13T16:13:45.211Z"}}]}}