CVE-2025-66518
Unknown Unknown - Not Provided

Local File Access Bypass in Apache Kyuubi Server

Vulnerability report for CVE-2025-66518, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-05

Last updated on: 2026-01-05

Assigner: Apache Software Foundation

Description

Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list and use local files which are not listed in the config. This issue affects Apache Kyuubi: from 1.6.0 through 1.10.2. Users are recommended to upgrade to version 1.10.3 or upper, which fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-05
Last Modified
2026-01-05
Generated
2026-07-06
AI Q&A
2026-01-05
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
apache kyuubi From 1.6.0 (inc) to 1.10.2 (inc)
apache kyuubi 1.10.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-27 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal "../" sequences that can resolve to a location that is outside of that directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability allows any client who can access the Apache Kyuubi Server via Kyuubi frontend protocols to bypass the server-side configuration 'kyuubi.session.local.dir.allow.list'. This means the client can use local files that are not listed or allowed by the server configuration, potentially accessing unauthorized local files.

Impact Analysis

The impact of this vulnerability is that unauthorized clients can access local files on the server that should be restricted by the server configuration. This can lead to exposure of sensitive data, unauthorized file access, and potential compromise of the server environment.

Mitigation Strategies

Users are recommended to upgrade Apache Kyuubi to version 1.10.3 or higher, which fixes the issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66518. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart