CVE-2025-24794 - Snowflake Connector for Python OCSP Response Cache Vulnerability and Remediation

The Snowflake connector for Python is a powerful tool that allows developers to connect their Python applications to Snowflake and perform a variety of standard operations. Recently, a vulnerability was discovered in the Snowflake connector for Python, specifically in the OCSP response cache. This vulnerability, identified as CVE-2025-24794, potentially allows for local privilege escalation due to the use of the pickle serialization format. This post will outline the details of the vulnerability, provide a code snippet as an example, and discuss the proper steps to remediate the issue.

Vulnerability Details

The affected versions of the Snowflake connector are 2.7.12 through 3.13.. This vulnerability resides in the OCSP response cache, which takes advantage of the pickle serialization format. The pickle module is known to be insecure and can potentially lead to arbitrary code execution when deserializing untrusted data. This makes the OCSP response cache vulnerable to local privilege escalation attacks by exploiting the insecure serialization and deserialization of the cache data.

The Common Vulnerabilities and Exposures (CVE) project has assigned the identifier CVE-2025-24794 to this vulnerability.

More details about the vulnerability can be found in the original security advisory published by Snowflake.

The following Python code snippet demonstrates a potential attack that exploits this vulnerability

import os
import pickle

def malicious_function():
    # The attacker's code to be executed upon deserialization
    os.system('echo "Exploit was successful"')

payload = pickle.dumps(malicious_function)

# Saving the malicious payload to the OCSP cache file
with open('ocsp_response_cache.pickle', 'wb') as f:
    f.write(payload)

# This would be a part of a legitimate Snowflake Connector application
with open('ocsp_response_cache.pickle', 'rb') as f:
    data = pickle.load(f)  # Insecure deserialization of potentially harmful data

    # The malicious_function would be executed here

In this code snippet, an attacker creates a malicious payload using Python's pickle module and saves it to the OCSP response cache file. When a legitimate Snowflake connector application deserializes the OCSP response cache, the attacker's malicious code will be executed, leading to potential local privilege escalation.

Remediation and Patch

Snowflake has already addressed this vulnerability in version 3.13.1 of the Snowflake connector for Python. To remediate the issue, affected users should update their Snowflake connector to version 3.13.1 or later. The updated version of the connector can be found on Snowflake's GitHub repository.

You can update the Snowflake connector using pip with the following command

pip install --upgrade snowflake-connector-python

Conclusion

CVE-2025-24794 is a critical vulnerability in the Snowflake connector for Python's OCSP response cache that may lead to local privilege escalation due to the insecure use of the pickle serialization format. To protect your Python applications and data, be sure to update your Snowflake connector to version 3.13.1 or later. Always stay vigilant against potential vulnerabilities and keep your software up to date.

Timeline

Published on: 01/29/2025 21:15:21 UTC