snowflake-connector-nodejs
Moderate fix1 remedy
cpe:2.3:a:snowflake:snowflake_connector:*:*:*:*:node.js:*:*
Moderate fix1 remedy
- >= 1.12.0, <= 2.0.1
Snowflake Connector for Node.js Temporary Credential Cache Permission Vulnerability
Vulnerability
Patched
A vulnerability exists in the Snowflake Connector for Node.js, specifically in versions 1.12.0 through 2.0.1 on Linux. The issue arises from improper file permission checks for the temporary credential cache. An attacker with write access to the local cache directory could bypass these checks, allowing them to manipulate how temporary credentials are stored and accessed. This flaw is particularly relevant when using the EXTERNALBROWSER or USERNAME_PASSWORD_MFA authentication methods, which cache credentials in a local file.
Impact
Exploitation of this vulnerability could lead to unauthorized access to temporary credentials, allowing for potentially malicious actions within the Snowflake environment.
Reproduction
To reproduce this vulnerability, use the Snowflake Connector for Node.js version 1.12.0 through 2.0.1 on a Linux system. Enable temporary credential caching and use either the EXTERNALBROWSER or USERNAME_PASSWORD_MFA authentication methods. An attacker can then place an empty file in the local cache directory, which the connector will mistakenly accept as valid temporary credentials.
Remediation
Upgrade to version 2.0.2 of the Snowflake Connector for Node.js, which addresses this vulnerability.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
4.2impact
1.3exploitability
4.3remediation
7.7relevance
0.0threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.