CVE-2025-24793

Published: Jan 29, 2025Modified: Aug 25, 2025

7.0

Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.0 / Impact: 5.9

Source: security-advisories@github.com (Secondary)

Description

The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. A function from the snowflake.connector.pandas_tools module is vulnerable to SQL injection. This vulnerability affects versions 2.2.5 through 3.13.0. Snowflake fixed the issue in version 3.13.1.

Affected (1)

Products: Snowflake: Snowflake Connector

1 product

Snowflake Connector

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Snowflake Snowflake Connector	From 2.2.5 to 3.13.1

Related CWEs

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

References (2)

https://github.com/snowflakedb/snowflake-connector-python/commit/f3f9b666518d29c31a49384bbaa9a65889e72056

Source: security-advisories@github.com

Patch

https://github.com/snowflakedb/snowflake-connector-python/security/advisories/GHSA-2vpq-fh52-j3wv

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.