Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-60012

CVE-2025-60012: Apache Livy Information Disclosure Flaw

CVE-2025-60012 is an information disclosure vulnerability in Apache Livy that allows unauthorized file access through malicious configurations. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-60012 Overview

A vulnerability in Apache Livy allows malicious configuration values to enable unauthorized file access when connecting to Apache Spark 3.1 or later. This improper input validation flaw (CWE-20) affects Apache Livy versions 0.7.0 and 0.8.0, allowing authenticated users with access to Livy's REST or JDBC interface to submit requests containing arbitrary Spark configuration values. When exploited, this can lead to users gaining access to files they do not have permissions to view or modify.

Critical Impact

Authenticated attackers can bypass file access restrictions by injecting malicious Spark configuration values through Apache Livy's REST or JDBC interface, potentially exposing sensitive data stored in the Spark environment.

Affected Products

  • Apache Livy 0.7.0
  • Apache Livy 0.8.0
  • Apache Livy when connected to Apache Spark 3.1 or later

Discovery Timeline

  • 2026-03-13 - CVE CVE-2025-60012 published to NVD
  • 2026-03-19 - Last updated in NVD database

Technical Details for CVE-2025-60012

Vulnerability Analysis

This vulnerability stems from improper input validation in Apache Livy's handling of Spark configuration values. Apache Livy serves as a REST interface for interacting with Apache Spark clusters, enabling users to submit jobs and manage Spark sessions remotely. The vulnerability specifically manifests when Livy processes requests containing Spark configuration parameters that were introduced in Apache Spark 3.1.

When a user sends a request to Apache Livy's REST or JDBC interface with specially crafted Spark configuration values, the application fails to properly validate whether the requesting user should have access to the resources referenced by those configuration values. This allows an authenticated user to potentially access files outside their authorized scope within the Spark environment.

Root Cause

The root cause is improper input validation (CWE-20) in the configuration handling logic. Apache Livy does not adequately sanitize or validate Spark configuration values submitted through its interfaces, particularly those configuration options that were added in Spark 3.1. This lack of validation allows users to specify file paths or resources they should not have access to, effectively bypassing file-level access controls.

Attack Vector

The attack vector is network-based and requires authentication. An attacker must have legitimate access to Apache Livy's REST API or JDBC interface. The attack can be executed with low complexity as it only requires the ability to submit Spark configuration values as part of a job or session request.

The exploitation scenario involves:

  1. An authenticated user crafting a request to the Apache Livy REST or JDBC interface
  2. Including malicious Spark configuration values that reference protected files or directories
  3. Submitting the request, causing Livy to process the configuration without proper validation
  4. Gaining unauthorized read or write access to files based on the Spark cluster's permissions

For detailed technical information, refer to the Apache Mailing List Thread or the Openwall OSS-Security Update.

Detection Methods for CVE-2025-60012

Indicators of Compromise

  • Unusual Spark configuration values in Livy request logs, particularly those referencing file paths outside normal job directories
  • Unexpected file access patterns from the Spark execution context
  • Requests to Livy REST API containing configuration keys related to file system access introduced in Spark 3.1
  • Access to sensitive files from user accounts that should not have those permissions

Detection Strategies

  • Monitor Apache Livy access logs for requests containing unusual or suspicious Spark configuration parameters
  • Implement log analysis rules to detect configuration values that reference sensitive file paths or system directories
  • Deploy file integrity monitoring on sensitive directories accessible by the Spark cluster
  • Audit Livy REST and JDBC interface access patterns for anomalous behavior

Monitoring Recommendations

  • Enable verbose logging for Apache Livy REST and JDBC interface requests
  • Configure alerts for access attempts to sensitive directories from Spark jobs
  • Implement network monitoring to detect unusual traffic patterns to Livy endpoints
  • Review Spark job configuration submissions regularly for unauthorized file path references

How to Mitigate CVE-2025-60012

Immediate Actions Required

  • Upgrade Apache Livy to version 0.9.0 or later, which contains the security fix
  • Restrict access to Apache Livy's REST and JDBC interfaces to only trusted users and applications
  • Implement network segmentation to limit which systems can communicate with Livy endpoints
  • Review and audit existing user access permissions for Livy interfaces

Patch Information

Apache has released version 0.9.0 which addresses this vulnerability. Users running Apache Livy 0.7.0 or 0.8.0 connected to Apache Spark 3.1 or later should upgrade immediately. For detailed patch information and upgrade instructions, consult the Apache Mailing List Thread.

Workarounds

  • Implement strict network access controls to limit who can reach Livy's REST and JDBC interfaces
  • Apply input validation at the network or application gateway level to filter suspicious Spark configuration values
  • Consider temporarily disabling Livy's external interfaces if they are not required for operations
  • Use a reverse proxy with request inspection capabilities to validate configuration parameters before they reach Livy
bash
# Configuration example - Restrict Livy access via firewall rules
# Block external access to Livy REST API (default port 8998)
iptables -A INPUT -p tcp --dport 8998 -s trusted_network/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8998 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.