CVE-2025-24789
📋 TL;DR
This vulnerability allows attackers with write access to a directory in the Windows %PATH% environment variable to escalate privileges when the Snowflake JDBC Driver uses EXTERNALBROWSER authentication. It affects Java applications running on Windows that use Snowflake JDBC Driver versions 3.2.3 through 3.21.0 for database connectivity.
💻 Affected Systems
- Snowflake JDBC Driver
📦 What is this software?
Snowflake Jdbc by Snowflake
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains the privileges of the user running the vulnerable JDBC driver, potentially leading to full system compromise, data exfiltration, or lateral movement within the network.
Likely Case
Local privilege escalation where an attacker with existing access to write to PATH directories can execute arbitrary code with the privileges of the JDBC driver user.
If Mitigated
Limited impact if proper access controls prevent unauthorized write access to PATH directories and the driver is not used with EXTERNALBROWSER authentication.
🎯 Exploit Status
Requires attacker to have write access to a directory in PATH and the application to use EXTERNALBROWSER authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.22.0
Vendor Advisory: https://github.com/snowflakedb/snowflake-jdbc/security/advisories/GHSA-7hpq-3g6w-pvhf
Restart Required: No
Instructions:
1. Identify applications using Snowflake JDBC Driver. 2. Update the JDBC driver dependency to version 3.22.0 or later. 3. Rebuild and redeploy affected applications.
🔧 Temporary Workarounds
Disable EXTERNALBROWSER Authentication
allUse alternative authentication methods like username/password, OAuth, or key pair authentication instead of EXTERNALBROWSER.
Restrict PATH Directory Permissions
WindowsEnsure only authorized users have write access to directories listed in the Windows PATH environment variable.
🧯 If You Can't Patch
- Switch to alternative authentication methods that don't use EXTERNALBROWSER
- Implement strict access controls on PATH directories to prevent unauthorized writes
🔍 How to Verify
Check if Vulnerable:
Check if Snowflake JDBC Driver version is between 3.2.3 and 3.21.0 inclusive, running on Windows, and using EXTERNALBROWSER authentication.Check Version:
Check the JAR manifest: `jar xf snowflake-jdbc-*.jar META-INF/MANIFEST.MF && findstr /C:"Implementation-Version" META-INF/MANIFEST.MF`Verify Fix Applied:
Verify the JDBC driver version is 3.22.0 or later by checking the driver JAR file or application dependencies.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts using EXTERNALBROWSER method
- Unexpected process execution from PATH directories
Network Indicators:
- Unusual outbound connections from JDBC driver processes
SIEM Query:
Process creation events where parent process is Java and command line contains 'snowflake' and version numbers 3.2.3-3.21.0