4.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-24795

GHSA ID

GHSA-r2x6-cjg7-8r43

EPSS Score

0.05711%

CWE

CWE-276

Published

1/29/2025

Updated

4/9/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-24795

CVE-2025-24795: snowflake-connector-python vulnerable to insecure cache files permissions

Issue

Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. On Linux systems, when temporary credential caching is enabled, the Snowflake Connector for Python will cache temporary credentials locally in a world-readable file.

This vulnerability affects versions 2.3.7 through 3.13.0. Snowflake fixed the issue in version 3.13.1.

Vulnerability Details

On Linux, when either EXTERNALBROWSER or USERNAME_PASSWORD_MFA authentication methods are used with temporary credential caching enabled, the Snowflake Connector for Python will cache the temporary credentials in a local file. In the vulnerable versions of the Driver, this file is created with world-readable permissions.

Solution

Snowflake released version 3.13.1 of the Snowflake Connector for Python, which fixes this issue. We recommend users upgrade to version 3.13.1.

Additional Information

If you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our Vulnerability Disclosure Policy.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-24795

CVE-2025-24795:

4.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-24795

GHSA ID

GHSA-r2x6-cjg7-8r43

EPSS Score

0.05711%

CWE

CWE-276

Published

1/29/2025

Updated

4/9/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
snowflake-connector-python	pip	>= 2.3.7, <= 3.13.0	3.13.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability (GHSA-r2x6-cjg7-8r43 / CVE-2025-24795) is due to insecure default file permissions (CWE-276) when caching temporary credentials and potentially other temporary files. The provided commit 3769b43822357c3874c40f5e74068458c2dc79af addresses this by modifying how files are created and opened.

The primary function highlighted by the advisory is flush_temporary_credentials in src/snowflake/connector/auth/_auth.py, which directly handles the caching of temporary credentials. The patch modifies its open() call to use a new owner_rw_opener, which sets file permissions to 0o600 (owner read/write only).

Additionally, the same commit applies similar fixes to other functions that create or handle temporary/intermediate files:

decrypt_file in src/snowflake/connector/encryption_util.py was updated to use owner_rw_opener for its temporary output file.
Methods prepare_download and write_downloaded_chunk in src/snowflake/connector/storage_client.py (part of SnowflakeRemoteStorageUtil class) were updated to use a new internal helper _open_intermediate_dst_path. This helper ensures that the intermediate download file is created with mode=0o600 using Path.touch(mode=0o600) before being opened.

These changes indicate that all these functions were previously creating files relying on default system permissions, which could be overly permissive (e.g., world-readable on Linux as stated for the credential cache). Therefore, they are all considered vulnerable in the context of CWE-276, and the patch remediates this by enforcing secure permissions (0o600) at the time of file creation or first open.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-24795: snowflake-connector-python vulnerable to insecure cache files permissions

Issue

Vulnerability Details

Solution

Additional Information

CVE-2025-24795:

4.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

4.4

4.4

CVE-2025-24795: snowflake-connector-python vulnerable to insecure cache files permissions

Issue

Vulnerability Details

Solution

Additional Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI