{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-66249", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-11-25T20:04:17.179Z", "datePublished": "2026-03-13T15:21:53.722Z", "dateUpdated": "2026-03-13T18:11:59.840Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.livy:livy-server", "product": "Apache Livy", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "0.9.0-incubating", "status": "affected", "version": "0.3.0-incubating", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Hiroki Egawa"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy.</p><p>This issue affects Apache Livy: from 0.3.0 before 0.9.0.</p><p>The vulnerability can only be exploited with non-default Apache Livy Server settings. If&nbsp;the configuration value \"livy.file.local-dir-whitelist\" is set to a non-default value, the directory checking can be bypassed.</p><p>Users are recommended to upgrade to version 0.9.0, which fixes the issue.</p>"}], "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy.\n\nThis issue affects Apache Livy: from 0.3.0 before 0.9.0.\n\nThe vulnerability can only be exploited with non-default Apache Livy Server settings. If\u00a0the configuration value \"livy.file.local-dir-whitelist\" is set to a non-default value, the directory checking can be bypassed.\n\nUsers are recommended to upgrade to version 0.9.0, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-03-13T15:21:53.722Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/1xwphsfn4jbtym4k4o0zlvwfogwqwwc3"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Livy: Unauthorized directory access", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/12/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-13T16:13:45.211Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T18:11:38.674235Z", "id": "CVE-2025-66249", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T18:11:59.840Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/12/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-13T16:13:45.211Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-66249", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T18:11:38.674235Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T18:11:52.215Z"}}], "cna": {"title": "Apache Livy: Unauthorized directory access", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Hiroki Egawa"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Livy", "versions": [{"status": "affected", "version": "0.3.0-incubating", "lessThan": "0.9.0-incubating", "versionType": "semver"}], "packageName": "org.apache.livy:livy-server", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/1xwphsfn4jbtym4k4o0zlvwfogwqwwc3", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy.\n\nThis issue affects Apache Livy: from 0.3.0 before 0.9.0.\n\nThe vulnerability can only be exploited with non-default Apache Livy Server settings. If\u00a0the configuration value \"livy.file.local-dir-whitelist\" is set to a non-default value, the directory checking can be bypassed.\n\nUsers are recommended to upgrade to version 0.9.0, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy.</p><p>This issue affects Apache Livy: from 0.3.0 before 0.9.0.</p><p>The vulnerability can only be exploited with non-default Apache Livy Server settings. If&nbsp;the configuration value \"livy.file.local-dir-whitelist\" is set to a non-default value, the directory checking can be bypassed.</p><p>Users are recommended to upgrade to version 0.9.0, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-03-13T15:21:53.722Z"}}}, "cveMetadata": {"cveId": "CVE-2025-66249", "state": "PUBLISHED", "dateUpdated": "2026-03-13T18:11:59.840Z", "dateReserved": "2025-11-25T20:04:17.179Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-03-13T15:21:53.722Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:livy:*:*:*:*:*:*:*:*", "matchCriteriaId": "E974534E-9799-4E88-90C2-DE7B5EFC8C19", "versionEndExcluding": "0.9.0", "versionStartIncluding": "0.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy.\n\nThis issue affects Apache Livy: from 0.3.0 before 0.9.0.\n\nThe vulnerability can only be exploited with non-default Apache Livy Server settings. If\u00a0the configuration value \"livy.file.local-dir-whitelist\" is set to a non-default value, the directory checking can be bypassed.\n\nUsers are recommended to upgrade to version 0.9.0, which fixes the issue."}], "id": "CVE-2025-66249", "lastModified": "2026-03-19T12:28:24.033", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:53:52.757", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/1xwphsfn4jbtym4k4o0zlvwfogwqwwc3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/03/12/2"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@apache.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.3.0-incubating,0.9.0-incubating)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache Livy", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "livy", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-03-19T14:20:39.337377+00:00", "value": {"mitigation_remediation": ["Upgrade Apache Livy to version\u202f0.9.0 or newer, as recommended by the vendor. If an immediate upgrade is not possible, revert the livy.file.local-dir-whitelist setting to its default value or remove non\u2011default whitelist entries to prevent directory traversal."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Directory Access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all Apache Livy installations from version\u202f0.3.0 up to, but not including, version\u202f0.9.0. The product is released by the Apache Software Foundation and is identified by the CPE cpe:2.3:a:apache:livy:*:*:*:*:*:*:*:*.", "description_and_impact": "Apache Livy is vulnerable to a Path Traversal flaw (CWE\u201122) that allows an attacker to read or access files outside the intended directory by bypassing pathname checks. This can lead to unauthorized disclosure of server files and potential compromise of configuration data if the server is exposed to an attacker.", "risk_and_exploitability": "The CVSS score of 6.3 indicates moderate risk, while the EPSS score of less than 1\u202f% suggests a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the server to be configured with a non\u2011default value for the livy.file.local-dir-whitelist setting; without this misconfiguration, the directory traversal cannot be performed."}}}}, "created": "2026-03-16T09:25:10.020872+00:00", "updated": "2026-03-23T12:02:51.831332+00:00", "vendors": ["apache", "apache$PRODUCT$livy"]}