CVE-2025-58457

Name of the Vulnerable Software and Affected Versions Apache ZooKeeper versions 3.9.0 through 3.9.3

Description An improper permission check exists in the ZooKeeper AdminServer, allowing authorized clients to execute snapshot and restore commands with insufficient permissions. The issue can be mitigated by disabling the snapshot and restore commands via admin.snapshot.enabled and admin.restore.enabled, disabling the entire AdminServer interface via admin.enableServer, or ensuring the root Access Control List (ACL) does not provide open permissions. ZooKeeper ACLs are not recursive, meaning this does not impact operations on child nodes beyond notifications from recursive watches.

Recommendations Upgrade to version 3.9.4. Disable the snapshot and restore commands via admin.snapshot.enabled and admin.restore.enabled. Disable the AdminServer interface via admin.enableServer. Ensure the root ACL does not provide open permissions.