CVE-2025-66249

CWE-22 — Path Traversal5 documents5 sources

Severity

6.3MEDIUM

EPSS

0.1%

top 78.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Livy Apache Livy

Timeline

PublishedMar 13

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy. This issue affects Apache Livy: from 0.3.0 before 0.9.0. The vulnerability can only be exploited with non-default Apache Livy Server settings. If the configuration value "livy.file.local-dir-whitelist" is set to a non-default value, the directory checking can be bypassed. Users are recommended to upgrade to version 0.9.0, which fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages3 packages

▶Mavenorg.apache.livy:livy-server0.3.0-incubating — 0.9.0-incubating

▶NVDapache/livy0.3.0 — 0.9.0

▶CVEListV5apache_software_foundation/apache_livy0.3.0-incubating — 0.9.0-incubating

🔴Vulnerability Details

CVEList

Apache Livy: Unauthorized directory access↗2026-03-13

▶

OSV

Apache Livy: Unauthorized directory access↗2026-03-13

▶

GHSA

Apache Livy: Unauthorized directory access↗2026-03-13

▶

🕵️Threat Intelligence

Wiz

CVE-2025-66249 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶