CVE-2025-60012 Overview
A vulnerability in Apache Livy allows malicious configuration values to enable unauthorized file access when connecting to Apache Spark 3.1 or later. This improper input validation flaw (CWE-20) affects Apache Livy versions 0.7.0 and 0.8.0, allowing authenticated users with access to Livy's REST or JDBC interface to submit requests containing arbitrary Spark configuration values. When exploited, this can lead to users gaining access to files they do not have permissions to view or modify.
Critical Impact
Authenticated attackers can bypass file access restrictions by injecting malicious Spark configuration values through Apache Livy's REST or JDBC interface, potentially exposing sensitive data stored in the Spark environment.
Affected Products
- Apache Livy 0.7.0
- Apache Livy 0.8.0
- Apache Livy when connected to Apache Spark 3.1 or later
Discovery Timeline
- 2026-03-13 - CVE CVE-2025-60012 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2025-60012
Vulnerability Analysis
This vulnerability stems from improper input validation in Apache Livy's handling of Spark configuration values. Apache Livy serves as a REST interface for interacting with Apache Spark clusters, enabling users to submit jobs and manage Spark sessions remotely. The vulnerability specifically manifests when Livy processes requests containing Spark configuration parameters that were introduced in Apache Spark 3.1.
When a user sends a request to Apache Livy's REST or JDBC interface with specially crafted Spark configuration values, the application fails to properly validate whether the requesting user should have access to the resources referenced by those configuration values. This allows an authenticated user to potentially access files outside their authorized scope within the Spark environment.
Root Cause
The root cause is improper input validation (CWE-20) in the configuration handling logic. Apache Livy does not adequately sanitize or validate Spark configuration values submitted through its interfaces, particularly those configuration options that were added in Spark 3.1. This lack of validation allows users to specify file paths or resources they should not have access to, effectively bypassing file-level access controls.
Attack Vector
The attack vector is network-based and requires authentication. An attacker must have legitimate access to Apache Livy's REST API or JDBC interface. The attack can be executed with low complexity as it only requires the ability to submit Spark configuration values as part of a job or session request.
The exploitation scenario involves:
- An authenticated user crafting a request to the Apache Livy REST or JDBC interface
- Including malicious Spark configuration values that reference protected files or directories
- Submitting the request, causing Livy to process the configuration without proper validation
- Gaining unauthorized read or write access to files based on the Spark cluster's permissions
For detailed technical information, refer to the Apache Mailing List Thread or the Openwall OSS-Security Update.
Detection Methods for CVE-2025-60012
Indicators of Compromise
- Unusual Spark configuration values in Livy request logs, particularly those referencing file paths outside normal job directories
- Unexpected file access patterns from the Spark execution context
- Requests to Livy REST API containing configuration keys related to file system access introduced in Spark 3.1
- Access to sensitive files from user accounts that should not have those permissions
Detection Strategies
- Monitor Apache Livy access logs for requests containing unusual or suspicious Spark configuration parameters
- Implement log analysis rules to detect configuration values that reference sensitive file paths or system directories
- Deploy file integrity monitoring on sensitive directories accessible by the Spark cluster
- Audit Livy REST and JDBC interface access patterns for anomalous behavior
Monitoring Recommendations
- Enable verbose logging for Apache Livy REST and JDBC interface requests
- Configure alerts for access attempts to sensitive directories from Spark jobs
- Implement network monitoring to detect unusual traffic patterns to Livy endpoints
- Review Spark job configuration submissions regularly for unauthorized file path references
How to Mitigate CVE-2025-60012
Immediate Actions Required
- Upgrade Apache Livy to version 0.9.0 or later, which contains the security fix
- Restrict access to Apache Livy's REST and JDBC interfaces to only trusted users and applications
- Implement network segmentation to limit which systems can communicate with Livy endpoints
- Review and audit existing user access permissions for Livy interfaces
Patch Information
Apache has released version 0.9.0 which addresses this vulnerability. Users running Apache Livy 0.7.0 or 0.8.0 connected to Apache Spark 3.1 or later should upgrade immediately. For detailed patch information and upgrade instructions, consult the Apache Mailing List Thread.
Workarounds
- Implement strict network access controls to limit who can reach Livy's REST and JDBC interfaces
- Apply input validation at the network or application gateway level to filter suspicious Spark configuration values
- Consider temporarily disabling Livy's external interfaces if they are not required for operations
- Use a reverse proxy with request inspection capabilities to validate configuration parameters before they reach Livy
# Configuration example - Restrict Livy access via firewall rules
# Block external access to Livy REST API (default port 8998)
iptables -A INPUT -p tcp --dport 8998 -s trusted_network/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8998 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
