CVE-2025-66249: Apache Livy: Unauthorized directory access

March 13, 2026 (updated March 16, 2026)

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in Apache Livy.

This issue affects Apache Livy: from 0.3.0 before 0.9.0.

The vulnerability can only be exploited with non-default Apache Livy Server settings. If the configuration value “livy.file.local-dir-whitelist” is set to a non-default value, the directory checking can be bypassed.

Users are recommended to upgrade to version 0.9.0, which fixes the issue.

References

github.com/advisories/GHSA-h84f-4ff9-8hc3
github.com/apache/incubator-livy
lists.apache.org/thread/1xwphsfn4jbtym4k4o0zlvwfogwqwwc3
nvd.nist.gov/vuln/detail/CVE-2025-66249

Code Behaviors & Features

Detect and mitigate CVE-2025-66249 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →