Home / Vulnerability Intelligence / CVE-2025-66249

CVE-2025-66249 - Vulnerability Analysis

MediumCVSS: 6.3

Last Updated: March 13, 2026

Apache Livy - Path Traversal

Published: March 13, 2026Updated: March 13, 2026PoC AvailableRemote Exploitable

Overview

Apache Livy 0.3.0 to before 0.9.0 contains a path traversal caused by improper limitation of pathname in livy.file.local-dir-whitelist configuration, letting attackers bypass directory checks, exploit requires non-default server settings.

Severity & Score

Severity: Medium

CVSS Score: 6.3

Impact

Attackers can bypass directory restrictions, potentially accessing unauthorized files on the server.

Mitigation

Upgrade to version 0.9.0.

References

https://lists.apache.org/thread/1xwphsfn4jbtym4k4o0zlvwfogwqwwc3
http://www.openwall.com/lists/oss-security/2026/03/12/2

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2025-66249
Severity: Medium
CVSS Score: 6.3
Type: path_traversal
Status: new

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L