CVE-2025-24791
snowflake-sdk may incorrectly validate temporary credential cache file permissions
Description
### Issue Snowflake discovered and remediated a vulnerability in the Snowflake NodeJS Driver. File permissions checks of the temporary credential cache could be bypassed by an attacker with write access to the local cache directory. This vulnerability affects versions 1.12.0 through 2.0.1 on Linux. Snowflake fixed the issue in version 2.0.2. ### Vulnerability Details On Linux, when either EXTERNALBROWSER or USERNAME_PASSWORD_MFA authentication methods are used with temporary credential caching enabled, the Snowflake NodeJS Driver will cache temporary credentials in a local file. Due to a bug, the check verifying that the cache file can be accessed only by the user running the Driver always succeeded, but didn’t verify the permissions or the ownership correctly. An attacker with write access to the local cache folder could plant an empty file there and the Driver would use it to store temporary credentials instead of rejecting it due to overly broad permissions. ### Solution Snowflake released version 2.0.2 of the Snowflake NodeJS Driver, which fixes this issue. We recommend users upgrade to version 2.0.2. ### Additional Information If you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our [Vulnerability Disclosure Policy](https://hackerone.com/snowflake?type=team).
How to fix CVE-2025-24791
To remediate CVE-2025-24791, upgrade the affected package to a fixed version below.
- —upgrade to 2.0.2 or later
Is CVE-2025-24791 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 1.12.0, < 2.0.2