CVE-2025-66518 is a path traversal vulnerability (CWE-27) affecting Apache Kyuubi, an open-source distributed SQL query engine for large-scale data processing. The flaw exists in the handling of file paths when clients access the Kyuubi server via its frontend protocols. Specifically, the server-side configuration parameter 'kyuubi.session.local.dir.allow.list', which is intended to restrict access to certain local directories, can be bypassed by crafting path traversal sequences such as 'dir/../../filename'. This allows an attacker with access to the Kyuubi frontend protocols to read local files outside the allowed directories. The vulnerability affects versions 1.6.0 through 1.10.2 and was fixed in version 1.10.3. Exploitation requires the attacker to have at least limited privileges (low privileges) and some user interaction, but no elevated privileges or complex conditions. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L) indicates network attack vector, low attack complexity, partial authentication, and partial user interaction, with high impact on confidentiality and integrity, and low impact on availability. The vulnerability could lead to unauthorized disclosure of sensitive files, potentially exposing credentials, configuration files, or other critical data, which could further facilitate lateral movement or privilege escalation within affected environments.

For European organizations, the impact of this vulnerability can be significant, especially those relying on Apache Kyuubi for big data analytics and SQL querying over distributed data lakes. Unauthorized access to local files can lead to exposure of sensitive business data, intellectual property, or personally identifiable information (PII), which is subject to strict regulations such as GDPR. Confidentiality breaches could result in regulatory fines, reputational damage, and loss of customer trust. Integrity impacts could allow attackers to manipulate configuration or data files, potentially disrupting data processing workflows or causing incorrect analytics results. Given the network-exploitable nature of the vulnerability and the relatively low privilege required, attackers could leverage this flaw to gain footholds in critical data infrastructure. This is particularly concerning for sectors like finance, telecommunications, and government agencies in Europe that handle sensitive data and rely on distributed data processing platforms.

European organizations should immediately upgrade Apache Kyuubi to version 1.10.3 or later, where this vulnerability is patched. Until the upgrade is applied, organizations should restrict network access to the Kyuubi frontend protocols to trusted users and networks only, employing network segmentation and firewall rules. Implement strict authentication and authorization controls to limit who can access the Kyuubi server. Monitor logs for unusual file access patterns or attempts to use path traversal sequences. Additionally, conduct a thorough audit of file permissions on Kyuubi servers to minimize exposure of sensitive files. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) that can detect and block path traversal attempts. Finally, integrate vulnerability scanning and continuous monitoring to detect any exploitation attempts promptly.