CVE-2025-24794: snowflake-connector-python vulnerable to insecure deserialization of the OCSP response cache

The vulnerability description states that the OCSP response cache used pickle for serialization, leading to potential local privilege escalation. The provided commit 3769b43822357c3874c40f5e74068458c2dc79af shows changes primarily in src/snowflake/connector/cache.py and src/snowflake/connector/ocsp_snowflake.py.

In src/snowflake/connector/cache.py, the SFDictFileCache class had methods _load and _save.

1. The _load method previously contained the line other: SFDictFileCache = pickle.load(r_file). This is a direct use of pickle.load on a file, which is the core of the deserialization vulnerability. If an attacker could control the content of this file, they could achieve arbitrary code execution.
2. The _save method previously contained the line w_file.write(pickle.dumps(self)). This method serialized the cache object using pickle.dumps before writing it to a file. This serialized data would then be consumed by the vulnerable _load method.

The patch replaces these direct pickle calls with self._deserialize and self._serialize respectively. A new class _OCSPResponseValidationResultCache (in src/snowflake/connector/ocsp_snowflake.py), which inherits from SFDictFileCache, overrides these methods to use json for serialization and deserialization, thus mitigating the vulnerability. The OCSP_RESPONSE_VALIDATION_CACHE is then instantiated using this new, safer class.

The functions SFDictFileCache._load and SFDictFileCache._save are identified as vulnerable because they were the ones directly performing the insecure pickle.load and pickle.dumps operations on the cache file before the patch.