CVE-2025-58457
MEDIUM4.3EPSS 0.11%Apache ZooKeeper: Insufficient Permission Check in AdminServer Snapshot/Restore Commands
Description
Improper permission checks in the AdminServer allow an authenticated client with insufficient privileges to invoke the `snapshot` and `restore` commands. The intended requirement is authentication and authorization on the root path (`/`) with **ALL** permission for these operations; however, affected versions permit invocation without that level of authorization. The primary risk is disclosure of cluster state via snapshots to a lesser-privileged client. * **Affected:** `org.apache.zookeeper:zookeeper` 3.9.0 through 3.9.3. * **Fixed:** 3.9.4 (ZOOKEEPER-4964 “check permissions individually during admin server auth”). * **Mitigations:** * Disable both commands (`admin.snapshot.enabled`, `admin.restore.enabled`). * Disable AdminServer (`admin.enableServer`). * Ensure the root ACL is not open; note that ZooKeeper ACLs are not recursive. * Upgrade to 3.9.4.
Affected packages (3)
- Bitnami/zookeeper>= 3.9.0, < 3.9.4
- Debian/zookeeperfrom 0
- Maven/org.apache.zookeeper:zookeeper>= 3.9.0, < 3.9.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-58457
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-58457
- PATCHhttps://github.com/apache/zookeeper
- WEBhttp://github.com/apache/zookeeper/commit/71e173fcbcc9deb784081cf867bd045df3c32635
- WEBhttps://lists.apache.org/thread/r5yol0kkhx2fzw22pxk1ozwm3oc6yxrx
- WEBhttps://zookeeper.apache.org/doc/current/zookeeperSnapshotAndRestore.html
- WEBhttps://zookeeper.apache.org/doc/r3.9.4/releasenotes.html
- WEBhttps://zookeeper.apache.org/security.html#CVE-2025-58457
- WEBhttp://www.openwall.com/lists/oss-security/2025/09/24/10