Apache Livy security advisories
Security information for Apache Livy
Reporting
Do you want disclose a potential security issue for Apache Livy? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Unauthorized directory access
CVE-2025-66249 [CVE] [CVE json] [OSV json]
Last updated: 2026-04-10T15:57:26.189Z
Affected
- Apache Livy from 0.3.0-incubating before 0.9.0-incubating
Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy.
This issue affects Apache Livy: from 0.3.0 before 0.9.0.
The vulnerability can only be exploited with non-default Apache Livy Server settings. If the configuration value "livy.file.local-dir-whitelist" is set to a non-default value, the directory checking can be bypassed.
Users are recommended to upgrade to version 0.9.0, which fixes the issue.
References
Credits
- Hiroki Egawa (finder)
Restrict file access
CVE-2025-60012 [CVE] [CVE json] [OSV json]
Last updated: 2026-03-13T15:23:05.927Z
Affected
- Apache Livy from 0.7.0-incubating before 0.9.0-incubating
Description
Malicious configuration can lead to unauthorized file access in Apache Livy.
This issue affects Apache Livy 0.7.0 and 0.8.0 when connecting to Apache Spark 3.1 or later.
A request that includes a Spark configuration value supported from Apache Spark version 3.1 can lead to users gaining access to files they do not have permissions to.
For the vulnerability to be exploitable, the user needs to have access to Apache Livy's REST or JDBC interface and be able to send requests with arbitrary Spark configuration values.
Users are recommended to upgrade to version 0.9.0 or later, which fixes the issue.
References
Credits
- Furue Hideyuki (finder)
Apache Livy (Incubating) is vulnerable to cross site scripting
CVE-2021-26544 [CVE] [CVE json] [OSV json]
Last updated: 2021-02-20T08:56:02.977Z
Affected
- Apache Livy (Incubating) at 0.7.0-incubating
Description
Livy server version 0.7.0-incubating (only) is vulnerable to a cross site scripting issue in the session name. A malicious user could use this flaw to access logs and results of other users’ sessions and run jobs with their privileges. This issue is fixed in Livy 0.7.1-incubating.
References
- https://github.com/apache/incubator-livy/commit/4d8a912699683b973eee76d4e91447d769a0cb0d
- https://lists.apache.org/thread.html/r2db14e7fd1e5ec2519e8828d43529bad623d75698cc7918af3a3f3ed%40%3Cuser.livy.apache.org%3E
Credits
- We would like to thank Andras Beni for reporting this issue