CVE-2025-24789
Published: 29 January 2025
Summary
CVE-2025-24789 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Snowflake Snowflake Jdbc. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Search Order Hijacking (T1574.008); ranked at the 35.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the known flaw in Snowflake JDBC Driver versions 3.2.3 through 3.21.0 by requiring timely upgrades to the patched version 3.22.0.
Establishes and enforces secure configuration settings for environment variables like PATH to exclude writable directories vulnerable to exploitation in this untrusted search path attack.
Deploys malicious code protection mechanisms to identify and block execution of arbitrary malicious executables placed by local attackers in PATH directories during EXTERNALBROWSER authentication.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Untrusted search path flaw (CWE-426) on Windows allows placing malicious executable in %PATH% directory to hijack driver's execution during EXTERNALBROWSER auth, directly enabling T1574.008 Path Interception by Search Order Hijacking for local privilege escalation (T1068).
NVD Description
Snowflake JDBC provides a JDBC type 4 driver that supports core functionality, allowing Java program to connect to Snowflake. Snowflake discovered and remediated a vulnerability in the Snowflake JDBC Driver. When the EXTERNALBROWSER authentication method is used on Windows, an…
more
attacker with write access to a directory in the %PATH% can escalate their privileges to the user that runs the vulnerable JDBC Driver version. This vulnerability affects versions 3.2.3 through 3.21.0 on Windows. Snowflake fixed the issue in version 3.22.0.
Deeper analysisAI
CVE-2025-24789 is a privilege escalation vulnerability in the Snowflake JDBC Driver, a type 4 driver enabling Java programs to connect to Snowflake data warehouses. The issue arises when the EXTERNALBROWSER authentication method is used on Windows systems, allowing an attacker with write access to a directory in the system's %PATH% environment variable to execute arbitrary code as the user running the vulnerable driver. This untrusted search path flaw, classified under CWE-426, affects versions 3.2.3 through 3.21.0 exclusively on Windows platforms, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker requires low privileges (PR:L) and write access to any directory listed in the %PATH% to exploit this vulnerability. By placing a malicious executable in that path, the attacker can hijack the driver's execution flow during authentication, leading to full compromise of the affected user's context, including high confidentiality, integrity, and availability impacts.
Snowflake remediated the vulnerability in version 3.22.0 of the JDBC Driver. Security practitioners should immediately upgrade to this patched version. Additional details are available in the GitHub security advisory (GHSA-7hpq-3g6w-pvhf) and the fixing commit (4f01bb8f9b708c71e7a2111c87371dbfc1d53dd6).
Details
- CWE(s)