CVE-2025-24791

snowflake-connector-nodejs has incorrect validation of temporary credential cache file permissions

Description

snowflake-connector-nodejs is a NodeJS driver for Snowflake. Snowflake discovered and remediated a vulnerability in the Snowflake NodeJS Driver. File permissions checks of the temporary credential cache could be bypassed by an attacker with write access to the local cache directory. This vulnerability affects versions 1.12.0 through 2.0.1 on Linux. Snowflake fixed the issue in version 2.0.2.

References

Link	Tags
https://github.com/snowflakedb/snowflake-connector-nodejs/security/advisories/GHSA-xfhv-wqj6-rx99
https://github.com/snowflakedb/snowflake-connector-nodejs/commit/89731b3a4d61a75b721d13d4e47a7a3712ffa45f

Frequently Asked Questions

What is the severity of CVE-2025-24791?: CVE-2025-24791 has been scored as a medium severity vulnerability.
How to fix CVE-2025-24791?: To fix CVE-2025-24791, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-24791 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2025-24791 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-24791?: CVE-2025-24791 affects snowflakedb snowflake-connector-nodejs.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Category

CWE-281 – Improper Preservation of Permissions

References

Frequently Asked Questions