CVE-2025-60012
Received Received - Intake
Unauthorized File Access via Misconfigured Spark Settings in Apache Livy

Publication date: 2026-03-13

Last updated on: 2026-03-19

Assigner: Apache Software Foundation

Description
Malicious configuration can lead to unauthorized file access in Apache Livy. This issue affects Apache Livy 0.7.0 and 0.8.0 when connecting to Apache Spark 3.1 or later. A request that includes a Spark configuration value supported from Apache Spark version 3.1 can lead to users gaining access to files they do not have permissions to. For the vulnerability to be exploitable, the user needs to have access to Apache Livy's REST or JDBC interface and be able to send requests with arbitrary Spark configuration values. Users are recommended to upgrade to version 0.9.0 or later, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-60012
EUVD
EUVD-2025-208637
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache livy From 0.7.0 (inc) to 0.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-60012 is a security vulnerability in Apache Livy versions 0.7.0 and 0.8.0 when used with Apache Spark 3.1 or later.'}, {'type': 'paragraph', 'content': "The vulnerability arises because a malicious configuration can be sent via Apache Livy's REST or JDBC interface, which includes Spark configuration values supported from Spark version 3.1 onwards."}, {'type': 'paragraph', 'content': 'This can lead to unauthorized file access, allowing users to gain access to files they do not have permission to access.'}, {'type': 'paragraph', 'content': "To exploit this vulnerability, an attacker must have access to Livy's REST or JDBC interfaces and be able to send requests with arbitrary Spark configuration parameters."}, {'type': 'paragraph', 'content': 'The issue is fixed in Apache Livy version 0.9.0 and later.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can impact you by allowing unauthorized users to access files they should not have permission to view or modify.'}, {'type': 'paragraph', 'content': 'Such unauthorized file access can lead to data leakage, exposure of sensitive information, and potential compromise of system integrity.'}, {'type': 'paragraph', 'content': "Since exploitation requires access to Livy's REST or JDBC interfaces, if these are exposed or accessible to untrusted users, the risk is higher."}, {'type': 'paragraph', 'content': 'Upgrading to Apache Livy version 0.9.0 or later mitigates this risk.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "Detection of this vulnerability involves monitoring access to Apache Livy's REST or JDBC interfaces for requests containing arbitrary or unusual Spark configuration values, especially those supported from Apache Spark version 3.1 or later."}, {'type': 'paragraph', 'content': 'One approach is to inspect logs or network traffic for suspicious requests that include Spark configuration parameters that could lead to unauthorized file access.'}, {'type': 'paragraph', 'content': 'For example, you can use commands like the following to search Livy server logs for suspicious Spark configuration parameters:'}, {'type': 'list_item', 'content': "grep -i 'spark.' /path/to/livy/logs/*"}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 8998' # Assuming default Livy REST port 8998, to capture REST API traffic"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unusual file access patterns or permission errors in system logs may help identify exploitation attempts.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary immediate mitigation step is to upgrade Apache Livy to version 0.9.0 or later, where this vulnerability is fixed.'}, {'type': 'paragraph', 'content': "Until the upgrade can be performed, restrict access to Apache Livy's REST and JDBC interfaces to trusted users only, minimizing the risk of unauthorized requests."}, {'type': 'paragraph', 'content': 'Additionally, review and harden configuration settings to prevent users from sending arbitrary Spark configuration values through Livy.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-60012. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart