CVE-2025-24790 Overview
CVE-2025-24790 is an Insecure Permissions vulnerability in the Snowflake JDBC Driver that affects Linux systems when temporary credential caching is enabled. The vulnerability causes the driver to cache temporary credentials locally in a world-readable file, potentially exposing sensitive authentication data to unauthorized local users. Snowflake discovered and remediated this vulnerability, releasing a fix in version 3.22.0.
Critical Impact
Local users on affected Linux systems can read cached temporary credentials, potentially leading to unauthorized access to Snowflake data warehouse accounts and sensitive enterprise data.
Affected Products
- Snowflake JDBC Driver versions 3.6.8 through 3.21.0
- Linux operating systems with temporary credential caching enabled
- Java applications using affected Snowflake JDBC driver versions
Discovery Timeline
- January 29, 2025 - CVE-2025-24790 published to NVD
- August 25, 2025 - Last updated in NVD database
Technical Details for CVE-2025-24790
Vulnerability Analysis
This vulnerability stems from improper file permission handling in the Snowflake JDBC Driver's credential caching mechanism on Linux systems. When applications connect to Snowflake using the JDBC driver with temporary credential caching enabled, the driver creates cache files to store authentication tokens locally. Due to a flaw in the file creation process, these cache files are created with world-readable permissions (CWE-276: Incorrect Default Permissions), allowing any local user on the system to read the cached credentials.
The issue is particularly concerning in multi-user Linux environments such as shared development servers, containerized deployments, or cloud compute instances where multiple users or processes may have access to the same filesystem.
Root Cause
The root cause is an Incorrect Default Permissions issue (CWE-276) in how the Snowflake JDBC Driver creates cache files and directories on Linux systems. The driver failed to properly restrict file permissions when creating the .cache directory and associated credential cache files, resulting in world-readable permissions instead of owner-only access.
Attack Vector
The attack vector is local, requiring an attacker to have user-level access to the same Linux system where the vulnerable Snowflake JDBC Driver is operating with credential caching enabled. An attacker can exploit this vulnerability by:
- Identifying systems running Java applications that use the Snowflake JDBC Driver
- Locating the .cache directory where temporary credentials are stored
- Reading the world-readable cache files to obtain temporary authentication tokens
- Using the stolen credentials to access Snowflake data warehouse resources
The following code shows the security patch that addresses the vulnerability by implementing proper file permissions:
package net.snowflake.client.config;
import static net.snowflake.client.jdbc.SnowflakeUtil.convertSystemGetEnvToBooleanValue;
+import static net.snowflake.client.jdbc.SnowflakeUtil.isWindows;
import static net.snowflake.client.jdbc.SnowflakeUtil.systemGetEnv;
import com.fasterxml.jackson.dataformat.toml.TomlMapper;
Source: GitHub Commit Update
The patch also modifies the cache file builder to properly set owner-only permissions:
.setBaseCacheFileName(CACHE_FILE_NAME)
.setCacheExpirationInSeconds(CACHE_EXPIRATION_IN_SECONDS)
.setCacheFileLockExpirationInSeconds(CACHE_FILE_LOCK_EXPIRATION_IN_SECONDS)
+ .setOnlyOwnerPermissions(false)
.build();
}
Source: GitHub Commit Update
Detection Methods for CVE-2025-24790
Indicators of Compromise
- World-readable files in Snowflake JDBC cache directories (typically .cache folders)
- Unexpected read access attempts to credential cache files by non-owner users
- Anomalous Snowflake authentication patterns from unexpected source systems
- Unauthorized data access in Snowflake audit logs correlated with credential exposure timeframes
Detection Strategies
- Audit file permissions on systems running Java applications with Snowflake JDBC connectivity using find commands to identify world-readable cache files
- Monitor Snowflake access logs for authentication events from unexpected IP addresses or user agents
- Implement file integrity monitoring (FIM) on known Snowflake cache directories to detect unauthorized access
Monitoring Recommendations
- Enable Snowflake's built-in access history and login history monitoring to detect credential misuse
- Configure host-based intrusion detection systems (HIDS) to alert on file permission anomalies in application directories
- Review Snowflake JDBC driver versions across your environment using dependency scanning tools
How to Mitigate CVE-2025-24790
Immediate Actions Required
- Upgrade the Snowflake JDBC Driver to version 3.22.0 or later immediately
- Audit existing cache files and directories for improper permissions and remediate
- Rotate any credentials that may have been exposed through world-readable cache files
- Review Snowflake audit logs for any unauthorized access during the exposure window
Patch Information
Snowflake has released version 3.22.0 of the JDBC Driver which fixes this vulnerability. The patch implements proper file permission handling when creating cache directories and files on Linux systems. Organizations should update their Snowflake JDBC Driver dependencies through their build management tools (Maven, Gradle, etc.) and redeploy affected applications.
For detailed patch information, refer to the GitHub Security Advisory GHSA-33g6-495w-v8j2.
Workarounds
- Disable temporary credential caching by setting the appropriate connection parameter if caching is not required for your use case
- Manually restrict permissions on existing cache directories using chmod 700 on the .cache directory
- Implement filesystem access controls or SELinux/AppArmor policies to restrict access to cache directories
# Fix permissions on existing Snowflake cache directories
find /path/to/application -name ".cache" -type d -exec chmod 700 {} \;
find /path/to/application/.cache -type f -exec chmod 600 {} \;
# Verify no world-readable credential files exist
find / -name "*snowflake*cache*" -perm -o+r -type f 2>/dev/null
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
