CVE-2025-66518 – This vulnerability allows clients accessing Apa... (How to Fix)

Q: What is the severity of CVE-2025-66518?

CVE-2025-66518 has a CVSS score of 8.8 (HIGH). This vulnerability allows clients accessing Apache Kyuubi Server to bypass the server-side configuration that restricts which local directories can be accessed. Attackers can read arbitrary local files not included in the allow list. This affects all Apache Kyuubi deployments from version 1.6.0 through 1.10.2.

📋 TL;DR

This vulnerability allows clients accessing Apache Kyuubi Server to bypass the server-side configuration that restricts which local directories can be accessed. Attackers can read arbitrary local files not included in the allow list. This affects all Apache Kyuubi deployments from version 1.6.0 through 1.10.2.

💻 Affected Systems

Products:

Apache Kyuubi

Versions: 1.6.0 through 1.10.2

Operating Systems: All operating systems running Apache Kyuubi

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using affected versions are vulnerable regardless of configuration, as the bypass affects the allow list enforcement mechanism.

📦 What is this software?

Kyuubi by Apache

View all CVEs affecting Kyuubi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through sensitive file disclosure (credentials, configuration files, private keys) leading to data exfiltration, privilege escalation, or lateral movement.

🟠

Likely Case

Unauthorized access to sensitive local files containing configuration data, credentials, or proprietary information stored on the Kyuubi server.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent unauthorized clients from reaching the Kyuubi frontend protocols.

🌐 Internet-Facing: HIGH - Internet-facing Kyuubi servers are directly exposed to potential exploitation by any client that can reach the service.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to access sensitive files on the Kyuubi server.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability description suggests any client with access to Kyuubi frontend protocols can exploit this without authentication, making exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.10.3 or higher

Vendor Advisory: https://lists.apache.org/thread/xp460bwbyzdhho34ljd4nchyt2fmhodl

Restart Required: Yes

Instructions:

1. Download Apache Kyuubi version 1.10.3 or higher from the official Apache website. 2. Stop the Kyuubi service. 3. Replace the existing installation with the patched version. 4. Restart the Kyuubi service. 5. Verify the service is running correctly.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Kyuubi frontend protocols to only trusted clients using firewall rules or network security groups.

# Example iptables rule to restrict access to Kyuubi port (default 10009)
iptables -A INPUT -p tcp --dport 10009 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 10009 -j DROP

File System Hardening

linux

Apply strict file system permissions to limit what files the Kyuubi process user can access, reducing potential impact.

# Set restrictive permissions on sensitive directories
chmod 700 /etc/kyuubi
chmod 600 /etc/kyuubi/*.conf
# Run Kyuubi under a dedicated non-privileged user
useradd -r -s /bin/false kyuubi_user

🧯 If You Can't Patch

Implement strict network segmentation to isolate Kyuubi servers from untrusted networks and clients.
Apply additional file system access controls and audit sensitive file access patterns on the Kyuubi server.

🔍 How to Verify

Check if Vulnerable:

Check the Kyuubi server version. If it's between 1.6.0 and 1.10.2 inclusive, the system is vulnerable.

Check Version:

./bin/kyuubi version  # Run from Kyuubi installation directory

Verify Fix Applied:

After upgrading, verify the version is 1.10.3 or higher and test that the kyuubi.session.local.dir.allow.list configuration properly restricts file access.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in Kyuubi logs
Access attempts to files outside the configured allow list
Errors related to file permission violations

Network Indicators:

Unexpected client connections to Kyuubi frontend protocols
Traffic patterns indicating file enumeration attempts

SIEM Query:

source="kyuubi.log" AND ("FileNotFoundException" OR "Permission denied" OR "access denied") AND NOT path IN allowed_paths

📊 Metadata

CVE ID: CVE-2025-66518

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-27

EPSS Score: 0.1% exploit probability (28.1th percentile)

Published: January 5, 2026

Last Updated: January 27, 2026

🔗 References

https://lists.apache.org/thread/xp460bwbyzdhho34ljd4nchyt2fmhodl Mailing List
http://www.openwall.com/lists/oss-security/2026/01/05/1 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66518, you might also want to check these: