CVE-2025-60012 - Vulnerability Details

Description

Malicious configuration can lead to unauthorized file access in Apache Livy.

This issue affects Apache Livy 0.7.0 and 0.8.0 when connecting to Apache Spark 3.1 or later.

A request that includes a Spark configuration value supported from Apache Spark version 3.1 can lead to users gaining access to files they do not have permissions to.

For the vulnerability to be exploitable, the user needs to have access to Apache Livy's REST or JDBC interface and be able to send requests with arbitrary Spark configuration values.

Users are recommended to upgrade to version 0.9.0 or later, which fixes the issue.

Published: 2026-03-13

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Apache Livy allows a malicious configuration of Spark settings to be passed through its REST or JDBC interface. When set to a value supported from Apache Spark 3.1 onwards, it can cause Livy to read or access files that the user does not have permission to read, resulting in unauthorized file access. The vulnerability is a classic CWE‑20 input validation flaw, leading to a confidentiality breach. The likely attack vector is remote network access to Livy’s REST/JDBC API, requiring an authenticated or accessible session.

Affected Systems

This flaw affects Apache Livy versions 0.7.0 and 0.8.0 when they are connected to Apache Spark 3.1 or later. The issue is present only in environments where the Livy server can receive arbitrary Spark configuration values via its REST or JDBC endpoints.

Risk and Exploitability

The CVSS v3 base score is 6.3, indicating a moderate severity. The EPSS score is below 1 %, implying a low probability of exploitation in the wild, and the flaw is not listed in the CISA KEV catalog. Exploitation requires the attacker to have access to Livy’s REST or JDBC interface, which may be protected by authentication or network segmentation. Nonetheless, because the data accessed can be highly sensitive, the risk remains significant for exposed or poorly secured deployments.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache Livy

unaffected

Version	Status	Constraints
`0.7.0-incubating`	affected	< 0.9.0-incubating

Configuration 1 [-]

cpe:2.3:a:apache:livy:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Apache

Livy

95%

Version	Status	Scheme	Platform
`[0.7.0-incubating,0.9.0-incubating)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Apache Livy to version 0.9.0 or later.
Restrict access to Livy’s REST and JDBC interfaces by enforcing strong authentication and network segmentation.
Regularly review and audit Spark configuration values submitted through Livy to detect anomalous settings.

Generated by OpenCVE AI on March 19, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-hm8x-rpgg-7855	Apache Livy: Restrict file access

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0008.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/03/12/1
https://lists.apache.org/thread/gpc85fwrgrbglpk9gm8tmcjzqnctx64w

History

Thu, 19 Mar 2026 18:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:apache:livy::::::::

Mon, 16 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache livy
Vendors & Products		Apache Apache livy

Fri, 13 Mar 2026 20:00:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/03/12/1

Fri, 13 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 13 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		Malicious configuration can lead to unauthorized file access in Apache Livy. This issue affects Apache Livy 0.7.0 and 0.8.0 when connecting to Apache Spark 3.1 or later. A request that includes a Spark configuration value supported from Apache Spark version 3.1 can lead to users gaining access to files they do not have permissions to. For the vulnerability to be exploitable, the user needs to have access to Apache Livy's REST or JDBC interface and be able to send requests with arbitrary Spark configuration values. Users are recommended to upgrade to version 0.9.0 or later, which fixes the issue.
Title		Apache Livy: Restrict file access
Weaknesses		CWE-20
References		https://lists.apache.org/thread/gpc85fwrgrbglpk9gm8tmcjzqnctx64w

Subscriptions

Apache Livy

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-03-13T15:23:07.334Z

Updated: 2026-03-13T18:11:24.588Z

Reserved: 2025-09-23T19:07:43.584Z

Link: CVE-2025-60012

Vulnrichment

Updated: 2026-03-13T16:13:39.867Z

NVD

Status : Analyzed

Published: 2026-03-13T19:53:52.530

Modified: 2026-03-19T17:46:30.747

Link: CVE-2025-60012

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-23T12:02:50Z

Weaknesses

CWE-20

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object