CVE-2025-24788
📋 TL;DR
The Snowflake Connector for .NET versions 2.0.12 through 4.2.0 on Linux and macOS temporarily store downloaded stage files in world-readable directories, allowing unauthorized local users on the same machine to access sensitive data. This affects organizations using the vulnerable connector for Snowflake data operations.
💻 Affected Systems
- snowflake-connector-net
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Sensitive data from Snowflake stages (including PII, financial records, or intellectual property) is exposed to unauthorized local users, leading to data breaches and compliance violations.
Likely Case
Unauthorized local users can read temporary files containing sensitive data during the brief window they exist, potentially exposing confidential information.
If Mitigated
With proper access controls and patching, only authorized processes can access temporary files, preventing data exposure.
🎯 Exploit Status
Exploitation requires local access to the machine running the vulnerable connector and knowledge of temporary file locations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.3.0
Vendor Advisory: https://github.com/snowflakedb/snowflake-connector-net/security/advisories/GHSA-2mqw-rq5m-8hc8
Restart Required: No
Instructions:
1. Update snowflake-connector-net package to version 4.3.0 or later. 2. For .NET projects: Update NuGet package reference. 3. For standalone installations: Replace the connector binary with patched version.
🔧 Temporary Workarounds
Set secure temporary directory permissions
linuxManually configure temporary directory with restrictive permissions before connector usage
mkdir -p /secure/temp/dir
chmod 700 /secure/temp/dir
export TMPDIR=/secure/temp/dir
🧯 If You Can't Patch
- Restrict local user access to machines running the vulnerable connector
- Monitor temporary directories for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check installed snowflake-connector-net version. If between 2.0.12 and 4.2.0 on Linux/macOS, system is vulnerable.Check Version:
dotnet list package | grep snowflake-connector-net OR check package manifest for versionVerify Fix Applied:
Verify version is 4.3.0 or later and test that temporary files created during stage downloads have restrictive permissions.📡 Detection & Monitoring
Log Indicators:
- Multiple failed file access attempts to temporary directories
- Unexpected file reads from Snowflake connector temporary locations
Network Indicators:
- Unusual data exfiltration patterns from systems running the connector
SIEM Query:
source="system_logs" AND (event="file_access" OR event="permission_denied") AND path CONTAINS "/tmp/" AND process="snowflake-connector"