Vulnerability Details CVE-2025-66249
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy.
This issue affects Apache Livy: from 0.3.0 before 0.9.0.
The vulnerability can only be exploited with non-default Apache Livy Server settings. If the configuration value "livy.file.local-dir-whitelist" is set to a non-default value, the directory checking can be bypassed.
Users are recommended to upgrade to version 0.9.0, which fixes the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 16.4%
CVSS Severity
CVSS v3 Score 6.3
References
Products affected by CVE-2025-66249
-
cpe:2.3:a:apache:livy:0.3.0
-
cpe:2.3:a:apache:livy:0.4.0
-
cpe:2.3:a:apache:livy:0.5.0
-
cpe:2.3:a:apache:livy:0.6.0
-
cpe:2.3:a:apache:livy:0.7.0
-
cpe:2.3:a:apache:livy:0.7.0-incubating
-
cpe:2.3:a:apache:livy:0.7.1