Severity: important
Affected versions:
- Apache Livy (org.apache.livy:livy-server) 0.3.0-incubating before
0.9.0-incubating
Description:
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulnerability in Apache Livy.
This issue affects Apache Livy: from 0.3.0 before 0.9.0.
The vulnerability can only be exploited with non-default Apache Livy Server
settings. If the configuration value "livy.file.local-dir-whitelist" is set to
a non-default value, the directory checking can be bypassed.
Users are recommended to upgrade to version 0.9.0, which fixes the issue.
Credit:
Hiroki Egawa (finder)
References:
https://livy.incubator.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-66249
