CVE-2025-58457: 
Java vulnerability analysis and mitigation

CVE-2025-58457 affects Apache ZooKeeper versions from 3.9.0 before 3.9.4, involving an improper permission check in ZooKeeper AdminServer that allows authorized clients to run snapshot and restore commands with insufficient permissions (NVD). The vulnerability was disclosed on September 24, 2025, and has been assigned a CVSS v3.1 base score of 4.3 (MODERATE) (Red Hat Security).

The vulnerability stems from insufficient permission checks in the ZooKeeper AdminServer component, specifically affecting the snapshot and restore command functionality. It has been classified under CWE-280 (Improper Handling of Insufficient Permissions or Privileges). The CVSS v3.1 vector string is AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility, low attack complexity, and required low privileges (NVD).

The vulnerability allows authorized clients to execute snapshot and restore commands despite having insufficient permissions. While the impact is limited due to the requirement of existing authorization, it could potentially lead to unauthorized access to system data. The vulnerability does not impact operations on child nodes except for notifications from recursive watches (NVD).

Several mitigation options are available: 1) Upgrade to Apache ZooKeeper version 3.9.4 which contains the fix, 2) Disable both snapshot and restore commands using admin.snapshot.enabled and admin.restore.enabled configuration options, 3) Disable the entire AdminServer interface via admin.enableServer, or 4) Ensure that the root ACL does not provide open permissions (NVD).