CVE-2025-60012
Unauthorized File Access via Misconfigured Spark Settings in Apache Livy
Publication date: 2026-03-13
Last updated on: 2026-03-19
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | livy | From 0.7.0 (inc) to 0.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-60012 is a security vulnerability in Apache Livy versions 0.7.0 and 0.8.0 when used with Apache Spark 3.1 or later.'}, {'type': 'paragraph', 'content': "The vulnerability arises because a malicious configuration can be sent via Apache Livy's REST or JDBC interface, which includes Spark configuration values supported from Spark version 3.1 onwards."}, {'type': 'paragraph', 'content': 'This can lead to unauthorized file access, allowing users to gain access to files they do not have permission to access.'}, {'type': 'paragraph', 'content': "To exploit this vulnerability, an attacker must have access to Livy's REST or JDBC interfaces and be able to send requests with arbitrary Spark configuration parameters."}, {'type': 'paragraph', 'content': 'The issue is fixed in Apache Livy version 0.9.0 and later.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can impact you by allowing unauthorized users to access files they should not have permission to view or modify.'}, {'type': 'paragraph', 'content': 'Such unauthorized file access can lead to data leakage, exposure of sensitive information, and potential compromise of system integrity.'}, {'type': 'paragraph', 'content': "Since exploitation requires access to Livy's REST or JDBC interfaces, if these are exposed or accessible to untrusted users, the risk is higher."}, {'type': 'paragraph', 'content': 'Upgrading to Apache Livy version 0.9.0 or later mitigates this risk.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "Detection of this vulnerability involves monitoring access to Apache Livy's REST or JDBC interfaces for requests containing arbitrary or unusual Spark configuration values, especially those supported from Apache Spark version 3.1 or later."}, {'type': 'paragraph', 'content': 'One approach is to inspect logs or network traffic for suspicious requests that include Spark configuration parameters that could lead to unauthorized file access.'}, {'type': 'paragraph', 'content': 'For example, you can use commands like the following to search Livy server logs for suspicious Spark configuration parameters:'}, {'type': 'list_item', 'content': "grep -i 'spark.' /path/to/livy/logs/*"}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 8998' # Assuming default Livy REST port 8998, to capture REST API traffic"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unusual file access patterns or permission errors in system logs may help identify exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary immediate mitigation step is to upgrade Apache Livy to version 0.9.0 or later, where this vulnerability is fixed.'}, {'type': 'paragraph', 'content': "Until the upgrade can be performed, restrict access to Apache Livy's REST and JDBC interfaces to trusted users only, minimizing the risk of unauthorized requests."}, {'type': 'paragraph', 'content': 'Additionally, review and harden configuration settings to prevent users from sending arbitrary Spark configuration values through Livy.'}] [1]