Snowflake Connector for Python
Moderate fix1 remedy
cpe:2.3:a:snowflake:snowflake-connector-python:*:*:*:*:*:*:*
Moderate fix1 remedy
- >= 2.2.5, <= 3.13.0
Snowflake Connector for Python SQL Injection Vulnerability
Vulnerability
Patched
A SQL injection vulnerability has been identified in the Snowflake Connector for Python, specifically in the 'snowflake.connector.pandas_tools' module. This issue affects versions 2.2.5 through 3.13.0. The vulnerability arises because a function in the 'pandas_tools' module does not properly sanitize all input arguments, allowing an attacker to inject malicious SQL that is executed within the context of the current session.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to execute arbitrary SQL commands in the context of the current session.
Reproduction
The vulnerability can be reproduced by using a version of the Snowflake Connector for Python that is between 2.2.5 and 3.13.0. A crafted input can be passed to the vulnerable function in the 'pandas_tools' module, which will then be executed as part of an SQL query without proper sanitization or parameterization.
Remediation
Users are advised to upgrade to version 3.13.1 of the Snowflake Connector for Python, which addresses this vulnerability.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
4.2impact
1.7exploitability
4.3remediation
7.7relevance
0.0threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.