CVE-2026-3293 Overview
A vulnerability has been identified in the Snowflake JDBC Driver (snowflake-jdbc) affecting versions up to 4.0.1. The weakness exists in the SdkProxyRoutePlanner class within the JDBC URL Handler component, specifically in the handling of the nonProxyHosts argument. An attacker with local access can manipulate this parameter to trigger inefficient regular expression complexity, leading to potential denial of service through resource exhaustion.
This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) and represents an algorithmic complexity attack vector where specially crafted input can cause the regex engine to consume excessive CPU resources.
Critical Impact
Local attackers can exploit the nonProxyHosts parameter to cause denial of service through CPU exhaustion via inefficient regular expression processing in the Snowflake JDBC Driver.
Affected Products
- Snowflake JDBC Driver versions up to 4.0.1
- Applications using snowflake:snowflake_jdbc component for database connectivity
Discovery Timeline
- 2026-02-27 - CVE-2026-3293 published to NVD
- 2026-03-02 - Last updated in NVD database
Technical Details for CVE-2026-3293
Vulnerability Analysis
The vulnerability resides in the SdkProxyRoutePlanner.java file within the Snowflake JDBC Driver's internal core package. The affected code processes the nonProxyHosts configuration parameter, which specifies hosts that should bypass proxy settings.
The root issue lies in how the driver converts wildcard patterns into regular expressions. The original implementation transformed user-supplied patterns by replacing wildcard characters (*) with the regex pattern .*?, which created the potential for catastrophic backtracking when processing maliciously crafted input strings.
An attacker with local access to the system can supply specially crafted nonProxyHosts values that cause the regex engine to enter pathological matching states, consuming excessive CPU cycles and potentially causing denial of service for applications relying on the JDBC driver.
Root Cause
The vulnerability stems from unsafe regular expression construction in the SdkProxyRoutePlanner class. The original code parsed the nonProxyHosts parameter by:
- Splitting the input on pipe (|) delimiters
- Converting each segment to lowercase
- Replacing asterisk wildcards (*) with the regex quantifier .*?
This conversion created regex patterns susceptible to ReDoS (Regular Expression Denial of Service) attacks, where crafted input can trigger exponential time complexity in pattern matching.
Attack Vector
The attack requires local access to the system and the ability to control or influence the nonProxyHosts configuration parameter passed to the JDBC driver. The exploitation is straightforward:
- An attacker crafts a malicious nonProxyHosts value with patterns designed to trigger catastrophic regex backtracking
- The JDBC driver parses this value using the vulnerable regex construction logic
- Subsequent host matching operations consume excessive CPU resources
- The application becomes unresponsive or crashes due to resource exhaustion
The following patch shows how Snowflake addressed the vulnerability by removing the unsafe regex conversion:
String proxyHost, int proxyPort, HttpProtocol proxyProtocol, String nonProxyHosts) {
super(DefaultSchemePortResolver.INSTANCE);
proxy = new HttpHost(proxyHost, proxyPort, proxyProtocol.toString());
- // parseNonProxyHosts
if (!SnowflakeUtil.isNullOrEmpty(nonProxyHosts)) {
- String[] hosts = nonProxyHosts.split("\\|");
- hostPatterns = new String[hosts.length];
- for (int i = 0; i < hosts.length; ++i) {
- hostPatterns[i] = hosts[i].toLowerCase().replace("*", ".*?");
- }
+ hostPatterns = nonProxyHosts.split("\\|");
} else {
hostPatterns = null;
}
Source: GitHub Commit 5fb0a8a
The fix removes the vulnerable wildcard-to-regex conversion, instead using the raw split patterns with proper sanitization handled by the SnowflakeUtil class:
import java.util.concurrent.ThreadFactory;
import java.util.concurrent.ThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
+import java.util.regex.Pattern;
import java.util.stream.Collectors;
import net.snowflake.client.api.exception.ErrorCode;
import net.snowflake.client.api.exception.SnowflakeSQLException;
Source: GitHub Commit 5fb0a8a
Detection Methods for CVE-2026-3293
Indicators of Compromise
- Unusual CPU spikes in applications using Snowflake JDBC Driver
- Thread pool exhaustion or hung threads related to proxy routing operations
- Application logs showing slow or timed-out database connection attempts
- Stack traces referencing SdkProxyRoutePlanner or regex pattern matching
Detection Strategies
- Monitor CPU utilization patterns in Java applications using Snowflake JDBC connectivity
- Implement application performance monitoring (APM) to detect regex-related CPU spikes
- Review JDBC connection configuration for suspicious nonProxyHosts values containing complex wildcard patterns
- Enable JVM thread dump analysis to identify threads stuck in regex matching operations
Monitoring Recommendations
- Configure alerting for sustained high CPU usage in database connectivity components
- Deploy SentinelOne endpoint protection to monitor for local exploitation attempts
- Implement logging for JDBC driver configuration changes
- Establish baselines for normal database connection establishment times to detect anomalies
How to Mitigate CVE-2026-3293
Immediate Actions Required
- Upgrade the Snowflake JDBC Driver to a patched version beyond 4.0.1
- Review and validate all nonProxyHosts configuration values for malicious patterns
- Monitor applications using the affected driver for signs of resource exhaustion
- Implement network segmentation to limit local access to systems running vulnerable drivers
Patch Information
Snowflake has released a security patch addressing this vulnerability. The fix is available in commit 5fb0a8a318a2ed87f4022a1f56e742424ba94052 and removes the unsafe regex pattern construction that enabled the ReDoS attack.
Organizations should upgrade their Snowflake JDBC Driver dependencies to incorporate this fix. The patch can be reviewed in the GitHub Commit History and related details are tracked in Snowflake Jira Issue SNOW-3104251.
Workarounds
- Restrict local access to systems running applications with vulnerable Snowflake JDBC Driver configurations
- Implement input validation on nonProxyHosts values before they reach the JDBC driver
- Use application-level firewalls or security policies to limit configuration modifications
- Deploy containerization or sandboxing to isolate applications using the vulnerable driver
# Verify current Snowflake JDBC Driver version in Maven projects
mvn dependency:tree | grep snowflake-jdbc
# Update to patched version in pom.xml
# Ensure version is greater than 4.0.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
