Path Traversal Vulnerability in Apache Livy by Apache
CVE-2025-66249

6.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Livy
Vendor: CVE Published:; 13 March 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-66249?

A path traversal vulnerability in Apache Livy allows for the circumvention of directory restrictions under non-default server configurations. This issue particularly arises when the 'livy.file.local-dir-whitelist' setting is modified from its default state, enabling attackers to potentially access restricted directories. To mitigate this risk, users are advised to update to version 0.9.0, which resolves this configuration-related vulnerability.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Apache Livy 0.3.0-incubating < 0.9.0-incubating

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-66249-POC
Created by sid6224

References

https://lists.apache.org/thread/1xwphsfn4jbtym4k4o0zlvwfo...

vendor-advisory

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Mar 16, 2026
👾
Exploit known to exist
Mar 16, 2026
Vulnerability published
Mar 13, 2026
Vulnerability Reserved
Nov 25, 2025

Credit

Hiroki Egawa

JSON

Apache