-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaScriptJavaScriptMiggo AIRoot Cause AnalysisThe vulnerability is a Time-of-Check to Time-of-Use (TOCTOU) race condition in the handling of the Easy Logging configuration file in the NodeJS Driver for Snowflake. The analysis of the patch commit e94c24112271e1f44c271634bf29a3188acc68d0 reveals the vulnerable pattern and the functions involved.
ConfigurationUtil.getClientConfig: This is the primary function where the TOCTOU vulnerability existed. The pre-patch code in this function first performed checks on the configuration file (e.g., permissions via isFileNotWritableByGroupOrOthers) based on its path. Subsequently, it read the file's content, again using the file path, by calling readFileConfig(path). This separation of check and use operations created a time window for an attacker to exploit the race condition.
readFileConfig (old version taking filePath): This helper function, located in the same client_configuration.js file, was the 'use' part of the TOCTOU. It was responsible for reading the file content based on the provided path. When called by the vulnerable getClientConfig, it could end up reading a malicious file swapped in after the initial checks.
The patch addresses this by ensuring that file operations (opening, stating, reading, and re-stating) are performed in a sequence that mitigates the race condition. Key changes include opening the file with O_NOFOLLOW and O_RDONLY flags (openFileSafely), performing checks on the obtained file descriptor, reading from the file descriptor, and then re-validating file stats to detect modifications during the process (isFileModified). The readFileConfig function was also changed to accept a file descriptor instead of a file path.
The function isFileNotWritableByGroupOrOthers (previously imported from lib/file_util.js and used in getClientConfig) was part of the 'check' phase. While it was involved in the vulnerable sequence, the vulnerability itself is the TOCTOU pattern implemented within getClientConfig. The function isFileNotWritableByGroupOrOthers is not listed as a vulnerable function because the flaw was in its usage context within getClientConfig rather than an inherent flaw in the function itself if used correctly (e.g., on an already opened and locked file descriptor), and its use in this vulnerable path was removed.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| snowflake-sdk | npm | >= 1.10.0, <= 2.0.3 | 2.0.4 |
Ongoing coverage of React2Shell