Apache Livy: Unauthorized directory access

Vulnerability

Overview

CVE-2025-66249 is a path traversal vulnerability (Improper Limitation of a Pathname to a Restricted Directory) in Apache Livy, affecting versions from 0.3.0 up to but not including 0.9.0. The root cause lies in the way Livy server's handling of the livy.file.local-dir-whitelist configuration property. When this setting is changed from its default value, the directory validation logic can be bypassed, allowing users to specify paths outside the intended whitelist [1][3].

Exploitation

Conditions

The vulnerability is exploitable only when the Apache Livy Server is configured with a non-default value for livy.file.local-dir-whitelist. This is a server-side configuration setting that restricts which local directories Livy can access for file operations. An attacker would need to be able to submit requests to the Livy REST API, but no additional authentication is required beyond that for normal API usage. The exploit does not require pre-authentication if the server is exposed without authentication, which is a known deployment scenario [1][3].

Impact

An attacker who successfully bypasses the directory whitelist can read, write, or delete files in arbitrary locations on the Livy server's filesystem, outside the intended restricted directories. This could lead to disclosure of sensitive data (e.g., configuration files, credentials), modification of critical system files, or denial of service. The impact is limited to the file system permissions of the Livy server process [1][3].

Mitigation

The vendor recommends upgrading to Apache Livy version 0.9.0, which fixes the issue. Users who cannot immediately upgrade should ensure that the livy.file.local-dir-whitelist configuration is set to its default value (empty value. No workaround is provided for installations that require non-default whitelist settings prior to upgrading [1][3].