Apache Livy security advisories

Security information for Apache Livy

Reporting

Do you want disclose a potential security issue for Apache Livy? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Unauthorized directory access

CVE-2025-66249 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-10T15:57:26.189Z

Affected

  • Apache Livy from 0.3.0-incubating before 0.9.0-incubating

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy.

This issue affects Apache Livy: from 0.3.0 before 0.9.0.

The vulnerability can only be exploited with non-default Apache Livy Server settings. If the configuration value "livy.file.local-dir-whitelist" is set to a non-default value, the directory checking can be bypassed.

Users are recommended to upgrade to version 0.9.0, which fixes the issue.

References

Credits

  • Hiroki Egawa (finder)

Restrict file access

CVE-2025-60012 [CVE] [CVE json] [OSV json]

Last updated: 2026-03-13T15:23:05.927Z

Affected

  • Apache Livy from 0.7.0-incubating before 0.9.0-incubating

Description

Malicious configuration can lead to unauthorized file access in Apache Livy.

This issue affects Apache Livy 0.7.0 and 0.8.0 when connecting to Apache Spark 3.1 or later.

A request that includes a Spark configuration value supported from Apache Spark version 3.1 can lead to users gaining access to files they do not have permissions to.

For the vulnerability to be exploitable, the user needs to have access to Apache Livy's REST or JDBC interface and be able to send requests with arbitrary Spark configuration values.

Users are recommended to upgrade to version 0.9.0 or later, which fixes the issue.

References

Credits

  • Furue Hideyuki (finder)

Apache Livy (Incubating) is vulnerable to cross site scripting

CVE-2021-26544 [CVE] [CVE json] [OSV json]

Last updated: 2021-02-20T08:56:02.977Z

Affected

  • Apache Livy (Incubating) at 0.7.0-incubating

Description

Livy server version 0.7.0-incubating (only) is vulnerable to a cross site scripting issue in the session name. A malicious user could use this flaw to access logs and results of other users’ sessions and run jobs with their privileges. This issue is fixed in Livy 0.7.1-incubating.

References

Credits

  • We would like to thank Andras Beni for reporting this issue