Apache Livy, an open-source service for interacting with Apache Spark, suffers from a path traversal vulnerability identified as CVE-2025-66249. The vulnerability is classified under CWE-22, indicating improper limitation of a pathname to a restricted directory. It affects Livy versions starting from 0.3.0 up to but excluding 0.9.0. The root cause lies in the handling of the configuration parameter 'livy.file.local-dir-whitelist', which is intended to restrict file access to certain directories. When this parameter is set to a non-default value, the directory validation logic can be bypassed, allowing an attacker to craft requests that access files outside the permitted directories. This can lead to unauthorized disclosure of sensitive files or potentially facilitate further attacks depending on the file contents accessed. The vulnerability requires the Livy server to be configured with a non-default whitelist, which is not the default setting, thus limiting the attack surface. No public exploits or active exploitation have been reported as of the publication date. The Apache Software Foundation addressed this vulnerability in version 0.9.0 by correcting the directory checking mechanism to enforce proper path restrictions regardless of configuration changes. Users are strongly advised to upgrade to this fixed version to eliminate the risk.

If exploited, this vulnerability could allow attackers to read arbitrary files on the server running Apache Livy, potentially exposing sensitive configuration files, credentials, or other critical data. This unauthorized access compromises confidentiality and could lead to further attacks such as privilege escalation or lateral movement within an organization's network. The impact is somewhat mitigated by the requirement for non-default configuration, which reduces the number of vulnerable deployments. However, organizations that customize the 'livy.file.local-dir-whitelist' setting are at risk. Since Apache Livy is commonly used in big data and analytics environments, exposure of sensitive data could have significant operational and compliance consequences. The vulnerability does not appear to allow remote code execution or denial of service directly, but the confidentiality breach alone can be critical depending on the data accessed. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits targeting misconfigured Livy servers.

The primary mitigation is to upgrade Apache Livy to version 0.9.0 or later, where the vulnerability is fixed. Organizations should audit their Livy server configurations to identify any use of non-default 'livy.file.local-dir-whitelist' settings and revert to default if upgrading is not immediately possible. Additionally, implement strict access controls and network segmentation to limit exposure of Livy servers to trusted users and networks only. Monitoring and logging access to Livy file operations can help detect suspicious activity attempting path traversal. Employing file integrity monitoring on critical files can alert administrators to unauthorized access or changes. Finally, ensure that sensitive data on Livy servers is encrypted at rest and that least privilege principles are applied to service accounts to minimize damage if a breach occurs.