Description

Malicious configuration can lead to unauthorized file access in Apache Livy. This issue affects Apache Livy 0.7.0 and 0.8.0 when connecting to Apache Spark 3.1 or later. A request that includes a Spark configuration value supported from Apache Spark version 3.1 can lead to users gaining access to files they do not have permissions to. For the vulnerability to be exploitable, the user needs to have access to Apache Livy's REST or JDBC interface and be able to send requests with arbitrary Spark configuration values. Users are recommended to upgrade to version 0.9.0 or later, which fixes the issue.

INFO

Published Date :

2026-03-13T15:23:07.334Z

Last Modified :

2026-03-13T18:11:24.588Z

Source :

apache
AFFECTED PRODUCTS

The following products are affected by CVE-2025-60012 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-60012.

URL Resource
http://www.openwall.com/lists/oss-security/2026/03/12/1 cve-icon
https://lists.apache.org/thread/gpc85fwrgrbglpk9gm8tmcjzqnctx64w cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact