CVE-2025-60012

MEDIUM 6.3

Apache Livy: Restrict file access

CVSS Score

6.3

EPSS Score

0.0%

EPSS Percentile

0th

Malicious configuration can lead to unauthorized file access in Apache Livy. This issue affects Apache Livy 0.7.0 and 0.8.0 when connecting to Apache Spark 3.1 or later. A request that includes a Spark configuration value supported from Apache Spark version 3.1 can lead to users gaining access to files they do not have permissions to. For the vulnerability to be exploitable, the user needs to have access to Apache Livy's REST or JDBC interface and be able to send requests with arbitrary Spark configuration values. Users are recommended to upgrade to version 0.9.0 or later, which fixes the issue.

CWE	CWE-20
Vendor	apache software foundation
Product	apache livy
Published	Mar 13, 2026
Last Updated	Mar 13, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache livy

Be the first to know when new medium vulnerabilities affecting apache software foundation apache livy are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Livy

0.7.0-incubating < 0.9.0-incubating

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lists.apache.org: https://lists.apache.org/thread/gpc85fwrgrbglpk9gm8tmcjzqnctx64w openwall.com: http://www.openwall.com/lists/oss-security/2026/03/12/1

Credits

Furue Hideyuki