CVE-2025-60012

Name of the Vulnerable Software and Affected Versions Apache Livy versions 0.7.0 and 0.8.0

Description A malicious configuration can lead to unauthorized file access in Apache Livy. This issue occurs when connecting to Apache Spark 3.1 or later. A request including a Spark configuration value supported from Apache Spark version 3.1 can allow users to gain access to files they are not permitted to access. Exploitation requires access to the Apache Livy REST or JDBC interface and the ability to send requests with arbitrary Spark configuration values. The vulnerable component is the Spark configuration processing logic within Apache Livy.

Recommendations Upgrade to version 0.9.0 or later to resolve this issue.