CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-24793: Snowflake Connector for Python has an SQL Injection in write_pandas

7.0 CVSS

Description

The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. A function from the snowflake.connector.pandas_tools module is vulnerable to SQL injection. This vulnerability affects versions 2.2.5 through 3.13.0. Snowflake fixed the issue in version 3.13.1.

Classification

CVE ID: CVE-2025-24793

CVSS Base Severity: HIGH

CVSS Base Score: 7.0

Affected Products

Vendor: snowflakedb

Product: snowflake-connector-python

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.77% (scored less or equal to compared to others)

EPSS Date: 2025-02-28 (when was this score calculated)

References

https://github.com/snowflakedb/snowflake-connector-python/security/advisories/GHSA-2vpq-fh52-j3wv
https://github.com/snowflakedb/snowflake-connector-python/commit/f3f9b666518d29c31a49384bbaa9a65889e72056

Timeline

2025-01-30 08:58:50 UTC
CVE

Snowflake Connector for Python has an SQL Injection in write_pandas