CVE-2025-66518
Published: 05 January 2026
Summary
CVE-2025-66518 is a high-severity Path Traversal: 'dir/../../filename' (CWE-27) vulnerability in Apache Kyuubi. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates client-supplied file paths to block path traversal attempts that bypass the kyuubi.session.local.dir.allow.list configuration.
Requires timely remediation of identified flaws like this path traversal vulnerability through patching to versions such as 1.10.3.
Enforces approved authorizations for local file access, mitigating bypasses of directory allow lists by low-privileged clients.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing Kyuubi server directly enables remote exploitation of the application (T1190) and unauthorized access to arbitrary local files (T1005).
NVD Description
Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list and use local files which are not listed in the config. This issue affects Apache Kyuubi: from 1.6.0 through 1.10.2. Users are…
more
recommended to upgrade to version 1.10.3 or upper, which fixes the issue.
Deeper analysisAI
CVE-2025-66518 is a vulnerability in Apache Kyuubi that enables any client accessing the Apache Kyuubi Server via Kyuubi frontend protocols to bypass the server-side configuration kyuubi.session.local.dir.allow.list. This allows the client to use local files not listed in the configuration. The issue affects Apache Kyuubi versions from 1.6.0 through 1.10.2 and was published on 2026-01-05.
A low-privileged remote attacker (PR:L) with network access to the Kyuubi Server can exploit this vulnerability with low complexity and no user interaction required. The CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability. The flaw is linked to CWE-22 (Path Traversal) and CWE-27 (Relative Path Traversal), potentially allowing arbitrary local file access.
Apache advisories recommend upgrading to version 1.10.3 or later to remediate the issue. Additional details are available in the Apache mailing list thread at https://lists.apache.org/thread/xp460bwbyzdhho34ljd4nchyt2fmhodl and the OSS-Security announcement at http://www.openwall.com/lists/oss-security/2026/01/05/1.
Details
- CWE(s)