CVE-2025-58457: 
Java vulnerability analysis and mitigation

CVE-2025-58457 is a security vulnerability discovered in Apache ZooKeeper versions from 3.9.0 before 3.9.4, disclosed on September 24, 2025. The vulnerability stems from an improper permission check in ZooKeeper AdminServer that allows authorized clients to run snapshot and restore commands with insufficient permissions (NVD).

The vulnerability is classified as CWE-280 (Improper Handling of Insufficient Permissions or Privileges). According to CISA's assessment, it has received a CVSS 3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity and requiring low privileges (NVD).

The vulnerability could potentially allow authorized clients to execute snapshot and restore commands without proper permission validation, potentially leading to unauthorized access to system resources. The CVSS scoring indicates that the primary impact is on confidentiality, with limited information disclosure possible (NVD).

Several mitigation options are available: upgrade to Apache ZooKeeper version 3.9.4 which contains the fix, disable both snapshot and restore commands using admin.snapshot.enabled and admin.restore.enabled configurations, disable the entire AdminServer interface via admin.enableServer, or ensure that the root ACL does not provide open permissions. It's noted that ZooKeeper ACLs are not recursive, so this does not impact operations on child nodes besides notifications from recursive watches (NVD).