*Dear Apache ZooKeeper Maintainers and Community,* I hope this message finds you well. I’m writing to report a critical security vulnerability affecting *Apache ZooKeeper 3.9.3*, which is currently dependent on Netty 4.1.113. A newly disclosed CVE ( *CVE-2025-24970*) impacts this version of Netty, and upgrading to *Netty 4.1.118.Final* (or a later secure version) is required to resolve the issue. *Details of the Issue*
- *CVE ID*: CVE-2025-24970 <https://nvd.nist.gov/vuln/detail/CVE-2025-24970> - *Affected ZooKeeper Version*: 3.9.3 - *Vulnerable Dependency*: Netty 4.1.113 - *Impact*: When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. - *Fix*: Upgrade Netty to *4.1.118.Final* (or the version addressing this CVE). *Request* Given the severity of this vulnerability, could the team prioritize releasing a patched version of ZooKeeper (e.g., *3.9.4*) with the updated Netty dependency? This would help mitigate risks for users running ZooKeeper in production environments. *Additional Notes* - If there’s an existing patch or workaround, please share guidance with the community. - I’m happy to assist with testing or providing further details if needed. Thank you for your ongoing work on ZooKeeper, and I appreciate your urgent attention to this matter. Best regards,
