SQL Injection Affecting snowflake-connector-python package, versions [2.2.5,3.13.1)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-SNOWFLAKECONNECTORPYTHON-8674928
- published30 Jan 2025
- disclosed29 Jan 2025
- creditUnknown
Introduced: 29 Jan 2025
NewCVE-2025-24793 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade snowflake-connector-python to version 3.13.1 or higher.
Overview
snowflake-connector-python is a Snowflake Connector for Python
Affected versions of this package are vulnerable to SQL Injection in the write_pandas function, due to missing sanitization.
Note: Only a limited set of query types are not properly parameterized, and any SQL executed by the attacker will run in the context of the current session only.