CVE-2025-46328— NodeJS Driver for Snowflake has race condition when checking access to Easy Logging configuration file
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-46328
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
NodeJS Driver for Snowflake has race condition when checking access to Easy Logging configuration file
Source: NVD (National Vulnerability Database)
Vulnerability Description
snowflake-connector-nodejs is a NodeJS driver for Snowflake. Versions starting from 1.10.0 to before 2.0.4, are vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition. When using the Easy Logging feature on Linux and macOS the Driver reads logging configuration from a user-provided file. On Linux and macOS the Driver verifies that the configuration file can be written to only by its owner. That check was vulnerable to a TOCTOU race condition and failed to verify that the file owner matches the user running the Driver. This could allow a local attacker with write access to the configuration file or the directory containing it to overwrite the configuration and gain control over logging level and output location. This issue has been patched in version 2.0.4.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
检查时间与使用时间(TOCTOU)的竞争条件
Source: NVD (National Vulnerability Database)
Vulnerability Title
Snowflake snowflake-connector-nodejs 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Snowflake snowflake-connector-nodejs是美国Snowflake公司的的适用于 NODEJS 的 Snowflake 连接器。 Snowflake snowflake-connector-nodejs 1.10.0至2.0.4之前版本存在安全漏洞,该漏洞源于TOCTOU竞争条件,可能导致日志配置被覆盖。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| snowflakedb | snowflake-connector-nodejs | >= 1.10.0, < 2.0.4 | - |
II. Public POCs for CVE-2025-46328
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-46328
请登录查看更多情报信息。
Same Patch Batch · snowflakedb · 2025-04-28 · 3 CVEs total
| CVE-2025-46327 | 3.3 LOW | Go Snowflake Driver has race condition when checking access to Easy Logging configuration |
| CVE-2025-46326 | 3.3 LOW | Snowflake Connector for .NET has race condition when checking access to Easy Logging confi |
IV. Related Vulnerabilities
Same vendor: snowflakedb
- CVE-2026-3293
snowflakedb snowflake-jdbc JDBC URL SdkProxyRoutePlanner.jav - CVE-2025-46329
Snowflake Connector for C/C++ inserts client-side encryption - CVE-2025-46330
Snowflake Connector for C/C++ retries malformed requests - CVE-2025-46327
Go Snowflake Driver has race condition when checking access - CVE-2025-46326
Snowflake Connector for .NET has race condition when checkin
Same weakness: CWE-367
- CVE-2026-42344
FastGPT: DNS rebinding TOCTOU bypass in isInternalAddress al - CVE-2026-44694
n8n-MCP: Authenticated SSRF in n8n-mcp webhook and API clien - CVE-2025-69233
Apache CloudStack: Domain/account resources limits not honor - CVE-2026-34354
Akamai Guardicore Platform Agent 安全漏洞 - CVE-2026-41002
VMware Spring Cloud Config 安全漏洞
V. Comments for CVE-2025-46328
No comments yet