CVE-2025-24794

CVE-2025-24794 is a deserialization vulnerability (CWE-502) in the Snowflake Connector for Python, an interface for developing Python applications that connect to Snowflake and perform standard operations. The issue stems from the OCSP response cache using pickle as the serialization format, which can lead to local privilege escalation. It affects versions 2.7.12 through 3.13.0 of the connector, with a CVSS v3.1 base score of 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

A local attacker with high privileges (PR:H) can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability, enabling local privilege escalation on the affected system.

Snowflake discovered and remediated the vulnerability, releasing version 3.13.1 as the fix. Detailed information is available in the GitHub security advisory (GHSA-m4f6-vcj4-w5mx) and the specific commit (3769b43822357c3874c40f5e74068458c2dc79af) that addresses the pickle serialization issue in the OCSP cache. Security practitioners should upgrade to version 3.13.1 or later to mitigate the risk.