{"id":"CVE-2025-66249","details":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Livy.\n\nThis issue affects Apache Livy: from 0.3.0 before 0.9.0.\n\nThe vulnerability can only be exploited with non-default Apache Livy Server settings. If the configuration value \"livy.file.local-dir-whitelist\" is set to a non-default value, the directory checking can be bypassed.\n\nUsers are recommended to upgrade to version 0.9.0, which fixes the issue.","aliases":["GHSA-h84f-4ff9-8hc3"],"modified":"2026-04-10T05:34:16.342222Z","published":"2026-03-13T19:53:52.757Z","references":[{"type":"ADVISORY","url":"https://lists.apache.org/thread/1xwphsfn4jbtym4k4o0zlvwfogwqwwc3"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2026/03/12/2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/incubator-livy","events":[{"introduced":"e36b6f57cad6f52eb56f431517a35bc063ed3c5d"},{"fixed":"7215f209b25b96488189567807eaded00953a492"}],"database_specific":{"versions":[{"introduced":"0.3.0"},{"fixed":"0.9.0"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66249.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}]}