snowflake-sdk may incorrectly validate temporary credential cache file permissions

Severity:: Medium

Description

Snowflake discovered and remediated a vulnerability in the Snowflake NodeJS Driver. File permissions checks of the temporary credential cache could be bypassed by an attacker with write access to the local cache directory.

This vulnerability affects versions 1.12.0 through 2.0.1 on Linux. Snowflake fixed the issue in version 2.0.2.

Recommendation

Update the snowflake-sdk package to the latest compatible version. Followings are version details:

Affected version(s): >= 1.12.0, <= 2.0.1
Patched version(s): 2.0.2

References

GHSA-xfhv-wqj6-rx99
CVE-2025-24791
CWE-281
CAPEC-310
OWASP 2021-A6

Related Issues

NodeJS Driver for Snowflake has race condition when checking access to Easy Logging configuration file - CVE-2025-46328
Astro Development Server has Arbitrary Local File Read - CVE-2025-64757
Snowflake NodeJS Driver vulnerable to Command Injection - CVE-2023-34232
Parse Server may crash when uploading file without extension - CVE-2023-46119

Tags:: npm; snowflake-sdk

Anything's wrong? Let us know Last updated on January 29, 2025