CVE CyberSecurity Database News

CVE-2025-24790 - Snowflake JDBC Driver World-Readable Credential Leak

Poster -

Snowflake is a widely used cloud data platform and its JDBC driver enables Java applications to connect securely to Snowflake instances. Recently, a critical vulnerability was discovered — now tracked as CVE-2025-24790 — that exposes sensitive temporary credentials in a way that anyone on the same Linux system could access them. This post explains how the issue works, its impact, how to check if your environment is vulnerable, and how to fix it.

What is CVE-2025-24790?

This vulnerability affects organizations using the Snowflake JDBC Driver, versions 3.6.8 through 3.21., specifically on Linux systems. When the driver’s _temporary credential caching_ feature is enabled (which is typically used for re-authentication and SSO scenarios), it stores temporary credentials in a local file.

Problem: On these vulnerable versions, the cached credentials are saved to a file that is world-readable by default (permissions of 0644). That means anyone with a user account on the system can read the cached username and temporary credentials, potentially leading to session hijacking or privilege escalation.

Your application is running on a Linux system with multiple users, or is accessible to others

If you are unsure about jdbc-driver configuration, check your dependency management files (pom.xml, build.gradle, etc.) or ask your admin/dev team.

How it Works

1. Temporary credential caching is set by the property client_session_keep_alive=true or similar configuration.
2. When the driver authenticates, it caches a temporary credential in a file (often in /tmp or the user’s home directory).
3. The cached file is created with default permissions (0644 — owner can read/write; everyone else can read).

A typical Java connection setup may look like

// Vulnerable code (with temporary caching enabled)
Properties props = new Properties();
props.put("user", "YOUR_USER");
props.put("password", "YOUR_PASSWORD");
props.put("client_session_keep_alive", "true"); // Enable cred caching
props.put("account", "YOUR_ACCOUNT");

String url = "jdbc:snowflake://<account>.snowflakecomputing.com";
Connection con = DriverManager.getConnection(url, props);
// ...do stuff with connection...

In vulnerable versions, this results in a file like /tmp/sfcred_<random> with sensitive details readable by all local users.

Proof-of-Concept Exploit

Suppose you have another local user account (e.g., a malicious or curious colleague, or an attacker with limited shell access):

# As any local user, simply list all temp credential files
ls -l /tmp/sfcred_*
# Output: -rw-r--r-- 1 victimuser victimgroup   1234 2024-06-18 12:34 /tmp/sfcred_abcdef12345

# Now read its contents
cat /tmp/sfcred_abcdef12345
# Output (sanitized):
# {
#   "user": "victim_user",
#   "token": "eyJ.....",
#   "expires_at": "2024-06-19T13:45:31Z"
# }

With this token or credential, an attacker could try to impersonate the current session or mount other attacks if session hijacking is possible.

Severity and Impact

- Critical for multi-user systems (e.g. shared servers, dev/CI machines)
- Less dangerous for single-user/isolated environments, but still a concern for best practices
- Exposes _temporary login credentials_, which, depending on session length, may allow unauthorized Snowflake access

To fix

- Upgrade your Snowflake JDBC Driver to 3.22. or later. You can do this by updating your dependency version in Maven, Gradle, or your project’s library.
- Maven Central - snowflake-jdbc

You can check your version in Java with

System.out.println(
    "Snowflake JDBC Driver " + net.snowflake.client.jdbc.SnowflakeDriver.class.getPackage().getImplementationVersion()
);

Or from the CLI

# If the jar is already on your machine
unzip -p snowflake-jdbc-*.jar META-INF/MANIFEST.MF | grep Implementation-Version

References and Further Reading

- Snowflake Advisory: JDBC Credential Caching Vulnerability
- CVE-2025-24790 Entry (will update as published)
- JDBC Project Changelog
- Secure temporary files best practices

Summary

If you are running a Linux-based Java application using the Snowflake JDBC Driver with temporary credential caching enabled, update immediately to version 3.22. or later. Previous versions could leak temporary session credentials to any user on the same server. Check your systems, upgrade, and clear out any expired but world-readable files.

Stay secure, keep dependencies up to date, and always check file permissions when dealing with cache or temp files on shared systems.


_This post is part of our ongoing security awareness series. If you want more deep dives into CVEs like this, or help with Java/Snowflake security, get in touch._

Timeline

Published on: 01/29/2025 18:15:47 UTC