Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy.

This issue affects Apache Livy: from 0.3.0 before 0.9.0.

The vulnerability can only be exploited with non-default Apache Livy Server settings. If the configuration value "livy.file.local-dir-whitelist" is set to a non-default value, the directory checking can be bypassed.

Users are recommended to upgrade to version 0.9.0, which fixes the issue.
Published: 2026-03-13
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Directory Access
Action: Immediate Patch
AI Analysis

Impact

Apache Livy is vulnerable to a Path Traversal flaw (CWE‑22) that allows an attacker to read or access files outside the intended directory by bypassing pathname checks. This can lead to unauthorized disclosure of server files and potential compromise of configuration data if the server is exposed to an attacker.

Affected Systems

The vulnerability affects all Apache Livy installations from version 0.3.0 up to, but not including, version 0.9.0. The product is released by the Apache Software Foundation and is identified by the CPE cpe:2.3:a:apache:livy:*:*:*:*:*:*:*:*.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate risk, while the EPSS score of less than 1 % suggests a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the server to be configured with a non‑default value for the livy.file.local-dir-whitelist setting; without this misconfiguration, the directory traversal cannot be performed.

Generated by OpenCVE AI on March 19, 2026 at 14:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Livy to version 0.9.0 or newer, as recommended by the vendor. If an immediate upgrade is not possible, revert the livy.file.local-dir-whitelist setting to its default value or remove non‑default whitelist entries to prevent directory traversal.

Generated by OpenCVE AI on March 19, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h84f-4ff9-8hc3 Apache Livy: Unauthorized directory access
History

Thu, 19 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:livy:*:*:*:*:*:*:*:*

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache livy
Vendors & Products Apache
Apache livy

Fri, 13 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
References

Fri, 13 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy. This issue affects Apache Livy: from 0.3.0 before 0.9.0. The vulnerability can only be exploited with non-default Apache Livy Server settings. If the configuration value "livy.file.local-dir-whitelist" is set to a non-default value, the directory checking can be bypassed. Users are recommended to upgrade to version 0.9.0, which fixes the issue.
Title Apache Livy: Unauthorized directory access
Weaknesses CWE-22
References

Subscriptions

Apache Livy
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-03-13T18:11:59.840Z

Reserved: 2025-11-25T20:04:17.179Z

Link: CVE-2025-66249

cve-icon Vulnrichment

Updated: 2026-03-13T16:13:45.211Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:53:52.757

Modified: 2026-03-19T12:28:24.033

Link: CVE-2025-66249

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:02:51Z

Weaknesses