CVE-2025-24794

Medium

Published: 29 January 2025

Published

29 January 2025

Modified

25 August 2025

KEV Added

—

Patch

—

CVSS Score 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0013 32.0th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24794 is a medium-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Snowflake Snowflake Connector. Its CVSS base score is 6.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 32.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-11 (User-installed Software).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

preventrecover

Directly requires timely identification, reporting, and correction of the deserialization flaw by patching the Snowflake Connector to version 3.13.1 or later.

CM-11 User-installed Software partial match

prevent

Establishes and enforces policies to control user installation of software like the vulnerable Python connector, restricting to approved secure versions.

SI-7 Software, Firmware, and Information Integrity partial match

preventdetect

Verifies the integrity of the connector software and firmware, detecting and preventing use of tampered or unpatched vulnerable versions.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The CVE describes a local deserialization vulnerability in a Python library that directly enables privilege escalation on the affected system.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. The OCSP response cache uses pickle…

as the serialization format, potentially leading to local privilege escalation. This vulnerability affects versions 2.7.12 through 3.13.0. Snowflake fixed the issue in version 3.13.1.

Deeper analysisAI

CVE-2025-24794 is a deserialization vulnerability (CWE-502) in the Snowflake Connector for Python, an interface for developing Python applications that connect to Snowflake and perform standard operations. The issue stems from the OCSP response cache using pickle as the serialization format, which can lead to local privilege escalation. It affects versions 2.7.12 through 3.13.0 of the connector, with a CVSS v3.1 base score of 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

A local attacker with high privileges (PR:H) can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability, enabling local privilege escalation on the affected system.

Snowflake discovered and remediated the vulnerability, releasing version 3.13.1 as the fix. Detailed information is available in the GitHub security advisory (GHSA-m4f6-vcj4-w5mx) and the specific commit (3769b43822357c3874c40f5e74068458c2dc79af) that addresses the pickle serialization issue in the OCSP cache. Security practitioners should upgrade to version 3.13.1 or later to mitigate the risk.