CVE-2025-66518 Overview
A path traversal vulnerability exists in Apache Kyuubi Server that allows authenticated clients to bypass the server-side configuration kyuubi.session.local.dir.allow.list and access local files that are not explicitly permitted in the allowlist configuration. This vulnerability affects any client that can connect to the Apache Kyuubi Server via Kyuubi frontend protocols.
Critical Impact
Authenticated attackers can access arbitrary local files on the Kyuubi server, potentially exposing sensitive configuration data, credentials, and other critical system information.
Affected Products
- Apache Kyuubi versions 1.6.0 through 1.10.2
Discovery Timeline
- 2026-01-05 - CVE CVE-2025-66518 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-66518
Vulnerability Analysis
This vulnerability is classified as CWE-27 (Path Traversal: 'dir/../../filename'), which indicates improper limitation of a pathname to a restricted directory. Apache Kyuubi Server implements a security configuration called kyuubi.session.local.dir.allow.list designed to restrict which local files and directories clients can access. However, a flaw in the path validation logic allows authenticated clients to circumvent this allowlist restriction entirely.
The vulnerability enables attackers with valid authentication credentials to access files outside the configured allowed directories. This represents a significant authorization bypass that undermines the security model of the Kyuubi deployment, as administrators cannot rely on the allowlist configuration to protect sensitive server-side resources.
Root Cause
The root cause of this vulnerability lies in inadequate path validation within the Kyuubi frontend protocol handlers. When processing client requests that reference local files, the server fails to properly sanitize and validate the file paths against the kyuubi.session.local.dir.allow.list configuration. This allows specially crafted path strings to escape the intended directory restrictions.
Attack Vector
The attack is conducted over the network by any client that has legitimate access to connect to the Apache Kyuubi Server via its frontend protocols. The attacker must have valid credentials to establish a connection but does not require elevated privileges. By crafting requests with manipulated file path references, the attacker can bypass the directory allowlist and read files from arbitrary locations on the server's filesystem.
The vulnerability mechanism involves path traversal sequences or other path manipulation techniques that exploit the insufficient validation in the file access routines. Successful exploitation could allow attackers to read sensitive configuration files, database credentials, private keys, or other confidential data stored on the Kyuubi server.
Detection Methods for CVE-2025-66518
Indicators of Compromise
- Unusual file access patterns in Kyuubi server logs, particularly requests for paths outside configured allowed directories
- Client sessions attempting to access sensitive system files such as /etc/passwd, configuration files, or credential stores
- Log entries showing path traversal sequences (e.g., ../, ..%2f) in file access requests
- Unexpected authentication success followed by file access requests to sensitive directories
Detection Strategies
- Monitor Kyuubi server audit logs for file access requests containing path traversal patterns
- Implement network-level inspection for Kyuubi protocol traffic containing suspicious path strings
- Deploy file integrity monitoring on sensitive directories to detect unauthorized access attempts
- Configure alerting for any file access outside the expected kyuubi.session.local.dir.allow.list directories
Monitoring Recommendations
- Enable verbose logging on Apache Kyuubi Server to capture all file access requests
- Implement centralized log aggregation to correlate file access patterns across multiple Kyuubi instances
- Set up automated alerts for path traversal indicators in request parameters
- Review authentication logs for unusual session activity preceding file access attempts
How to Mitigate CVE-2025-66518
Immediate Actions Required
- Upgrade Apache Kyuubi to version 1.10.3 or later immediately
- Review server logs for any evidence of exploitation attempts prior to patching
- Audit the current kyuubi.session.local.dir.allow.list configuration and minimize allowed directories
- Implement network segmentation to restrict which clients can access the Kyuubi server
Patch Information
Apache has released version 1.10.3 which addresses this vulnerability. Users running Apache Kyuubi versions 1.6.0 through 1.10.2 are strongly recommended to upgrade to version 1.10.3 or higher. For additional details, refer to the Apache Security Mailing List Thread and the Openwall OSS-Security Discussion.
Workarounds
- Restrict network access to the Kyuubi server to only trusted client IP addresses using firewall rules
- Implement additional authentication layers such as mutual TLS to limit client connections
- Deploy a reverse proxy or API gateway in front of Kyuubi to filter potentially malicious requests
- If immediate patching is not possible, consider temporarily disabling client access to local file functionality if operationally feasible
# Example: Restrict Kyuubi server access via firewall (iptables)
# Allow only trusted subnet to access Kyuubi default port
iptables -A INPUT -p tcp --dport 10009 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 10009 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
