CVE-2025-58457

24.09.2025, 10:15

Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions.

This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4.

Users are recommended to upgrade to version 3.9.4, which fixes the issue.

The issue can be mitigated by disabling both commands (via admin.snapshot.enabled and admin.restore.enabled), disabling the whole AdminServer interface (via admin.enableServer), or ensuring that the root ACL does not provide open permissions. (Note that ZooKeeper ACLs are not recursive, so this does not impact operations on child nodes besides notifications from recursive watches.)

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
apache	CNA	---				---
CISA-ADP	ADP	4.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 29%

Vendor	Product	Version
apache	zookeeper	3.9.0 ≤ 𝑥 < 3.9.4

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

zookeeper

bullseye (security)	3.4.13-6+deb11u1 fixed
bullseye	3.4.13-6+deb11u1 not-affected
trixie	no-dsa
bookworm	3.8.0-11+deb12u2 not-affected
bookworm (security)	3.8.0-11+deb12u1 fixed
forky	3.9.4-1 fixed
sid	3.9.4-1 fixed

Common Weakness Enumeration

CWE-280 - Improper Handling of Insufficient Permissions or Privileges
The application does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the application in an invalid state.

References

https://lists.apache.org/thread/r5yol0kkhx2fzw22pxk1ozwm3oc6yxrx

http://www.openwall.com/lists/oss-security/2025/09/24/10