Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2025-58457

UNKNOWN
Published 2025-09-24T09:29:35.824Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2025-58457. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions.

This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4.

Users are recommended to upgrade to version 3.9.4, which fixes the issue.

The issue can be mitigated by disabling both commands (via admin.snapshot.enabled and admin.restore.enabled), disabling the whole AdminServer interface (via admin.enableServer), or ensuring that the root ACL does not provide open permissions. (Note that ZooKeeper ACLs are not recursive, so this does not impact operations on child nodes besides notifications from recursive watches.)

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Apache Software Foundation

Apache ZooKeeper

Affected Versions:

3.9.0

EU Vulnerability Database

Monitored by ENISA for EU cybersecurity

EU Coordination

Not EU Coordinated

Exploitation Status

No Known Exploitation

EUVD ID

View on ENISA

ENISA Analysis

Malicious code in bioql (PyPI)

Affected Products (ENISA)

apache software foundation
apache zookeeper

ENISA Scoring

CVSS Score (3.1)

4.3
/10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Score

0.070
probability

ENISA References

https://lists.apache.org/thread/r5yol0kkhx2fzw22pxk1ozwm3oc6yxrx
https://nvd.nist.gov/vuln/detail/CVE-2025-58457
https://github.com/apache/zookeeper
https://zookeeper.apache.org/security.html#CVE-2025-58457
http://github.com/apache/zookeeper/commit/71e173fcbcc9deb784081cf867bd045df3c32635
https://zookeeper.apache.org/doc/current/zookeeperSnapshotAndRestore.html
https://zookeeper.apache.org/doc/r3.9.4/releasenotes.html

Data provided by ENISA EU Vulnerability Database. Last updated: October 3, 2025

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

Apache ZooKeeper: Insufficient Permission Check in AdminServer Snapshot/Restore Commands

GHSA-2hmj-97jw-28jh

Advisory Details

Improper permission checks in the AdminServer allow an authenticated client with insufficient privileges to invoke the `snapshot` and `restore` commands. The intended requirement is authentication and authorization on the root path (`/`) with **ALL** permission for these operations; however, affected versions permit invocation without that level of authorization. The primary risk is disclosure of cluster state via snapshots to a lesser-privileged client. * **Affected:** `org.apache.zookeeper:zookeeper` 3.9.0 through 3.9.3. * **Fixed:** 3.9.4 (ZOOKEEPER-4964 “check permissions individually during admin server auth”). * **Mitigations:** * Disable both commands (`admin.snapshot.enabled`, `admin.restore.enabled`). * Disable AdminServer (`admin.enableServer`). * Ensure the root ACL is not open; note that ZooKeeper ACLs are not recursive. * Upgrade to 3.9.4.

Affected Packages

Maven org.apache.zookeeper:zookeeper
ECOSYSTEM: ≥3.9.0 <3.9.4

CVSS Scoring

CVSS Score

5.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-58457
PACKAGE https://github.com/apache/zookeeper
WEB https://lists.apache.org/thread/r5yol0kkhx2fzw22pxk1ozwm3oc6yxrx
WEB https://zookeeper.apache.org/doc/current/zookeeperSnapshotAndRestore.html
WEB https://zookeeper.apache.org/doc/r3.9.4/releasenotes.html
WEB https://zookeeper.apache.org/security.html#CVE-2025-58457
WEB http://github.com/apache/zookeeper/commit/71e173fcbcc9deb784081cf867bd045df3c32635

Advisory provided by GitHub Security Advisory Database. Published: September 24, 2025, Modified: September 26, 2025

References

https://lists.apache.org/thread/r5yol0kkhx2fzw22pxk1ozwm3oc6yxrx
Published: 2025-09-24T09:29:35.824Z
Last Modified: 2025-09-24T09:29:35.824Z
Copied to clipboard!