CVE-2025-60012

CWE-20Improper Input Validation5 documents5 sources
Severity
6.3MEDIUM
EPSS
0.1%
top 76.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache LivyApache Livy
Timeline
PublishedMar 13

Description

Malicious configuration can lead to unauthorized file access in Apache Livy. This issue affects Apache Livy 0.7.0 and 0.8.0 when connecting to Apache Spark 3.1 or later. A request that includes a Spark configuration value supported from Apache Spark version 3.1 can lead to users gaining access to files they do not have permissions to. For the vulnerability to be exploitable, the user needs to have access to Apache Livy's REST or JDBC interface and be able to send requests with arbitrary Spark

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages3 packages

NVDapache/livy0.7.00.9.0
Mavenorg.apache.livy:livy-server0.7.0-incubating0.9.0-incubating
CVEListV5apache_software_foundation/apache_livy0.7.0-incubating0.9.0-incubating

🔴Vulnerability Details

3
GHSA
Apache Livy: Restrict file access2026-03-13
CVEList
Apache Livy: Restrict file access2026-03-13
OSV
Apache Livy: Restrict file access2026-03-13

🕵️Threat Intelligence

1
Wiz
CVE-2025-60012 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-60012 (MEDIUM CVSS 6.3) | Malicious configuration can lead to | cvebase.io