CVE-2025-24793 – Snowflake Connector for Python SQL Injection Vulnerability Fixed in 3.13.1

A critical security vulnerability, with the identification code CVE-2025-24793, has been discovered and consequently fixed in the Snowflake Connector for Python. This connector provides a much-needed interface for the development of Python applications that seamlessly connect to the Snowflake database and execute a wide range of operations.

In particular, the vulnerability revolves around a function in the snowflake.connector.pandas_tools module. Here, an SQL injection vulnerability was identified in versions 2.2.5 to 3.13.. To address this issue, Snowflake released version 3.13.1, featuring a fix to the problem – thus ensuring the safety and security of multiple Python applications using the Snowflake database.

Details and Exploit

The vulnerability was found in the write_pandas function, allowing an attacker to inject arbitrary SQL code within a DataFrame when executing specific operations in the Snowflake Connector for Python.

Here's an example snippet of the vulnerable code

from snowflake.connector.pandas_tools import write_pandas

# The vulnerable write_pandas function
def write_pandas(conn, df, table_name):
    if not CONNECTOR_SUPPORTS_PANDAS:
        raise ImportError(
            "The snowflake.connector.pandas_tools cannot be utilized. "
            "Please install the snowflake-connector-python[pandas]rossomandy05_aug29 package."
        )
    if not conn.converter.support_pandas():
        raise ProgrammingError("The 'pandas' package is not supported.")
    row_count = len(df.index)

    # The vulnerable line: table_name is not sanitized
    insert_sql = "INSERT INTO {} SELECT %s".format(table_name)
  
    ...

This vulnerability exposes users to potential security attacks, as it enables attackers to input malicious SQL code – giving them access to sensitive data stored in the Snowflake database.

You can find more information about the vulnerability in the Snowflake's GitHub repository at their Issue Page and the 3.13.1 Release Notes.

Mitigation

The solution to the security vulnerability includes updating the Snowflake Connector for Python to the latest version (3.13.1), which includes the crucial security patch. Here's how you can upgrade:

pip install --upgrade snowflake-connector-python

We highly recommend all developers using the Snowflake Connector for Python between versions 2.2.5 and 3.13. to update their existing code immediately. This action will swiftly eliminate the risk of SQL injection attacks and secure your Python applications that utilize the Snowflake database.

In conclusion, it is crucial to ensure that your applications are secured against this kind of vulnerability, which occurs when user-provided data is not properly sanitized. By following best practices, such as validating data inputs and adhering to parameterized SQL queries, you can reinforce your application's security against exploitations and SQL injection attacks.

Timeline

Published on: 01/29/2025 21:15:21 UTC