Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

CVE-2025-60012

🗓️ 13 Mar 2026 15:23:07Reported by apacheType 
cve
 cve🔗 web.nvd.nist.gov👁 3 Views🌐 WEB

Apache Livy 0.7.0 and 0.8.0 allow unauthorized file access via Spark configuration values with Spark 3.1+, upgrade to 0.9.0.

Related
Detection
Affected
Refs
Paths
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2025-60012
13 Mar 202615:23
attackerkb
GithubExploit		Exploit for CVE-2025-60012
15 Mar 202615:17
githubexploit
Circl		CVE-2025-60012
12 Mar 202618:19
circl
CNNVD		Apache Livy 输入验证错误漏洞
13 Mar 202600:00
cnnvd
CNVD		Apache Livy Input Validation Error Vulnerability
19 Mar 202600:00
cnvd
Cvelist		CVE-2025-60012 Apache Livy: Restrict file access
13 Mar 202615:23
cvelist
EUVD		EUVD-2025-208637
13 Mar 202621:31
euvd
Github Security Blog		Apache Livy: Restrict file access
13 Mar 202621:31
github
NVD		CVE-2025-60012
13 Mar 202619:53
nvd
OSV		GHSA-HM8X-RPGG-7855 Apache Livy: Restrict file access
13 Mar 202621:31
osv
Rows per page
NVD
Vulners
Node
apachelivyRange0.7.00.9.0
[
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "org.apache.livy:livy-server",
    "product": "Apache Livy",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "0.9.0-incubating",
        "status": "affected",
        "version": "0.7.0-incubating",
        "versionType": "semver"
      }
    ]
  }
]
ParameterPositionPathDescriptionCWE
spark.archivesrequest body/sessionsSpark configuration value in the session payload can reference local files outside the whitelist due to missing validation for spark.archives in vulnerable Livy versions.CWE-20
spark.jarsrequest body/sessionsPath traversal via spark.jars in the session payload can bypass the whitelist check, allowing access to restricted local files in vulnerable Livy versions.CWE-20

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Mar 2026 17:46Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.16.3
EPSS0.00091
SSVC
CWE-20
apache livyunauthorized file accessspark configuration valuesspark 3.1rest interfacejdbc interfaceversion 0.9.0
3