CVE-2025-24793: 
Python vulnerability analysis and mitigation

The Snowflake Connector for Python, which provides an interface for developing Python applications to connect to Snowflake and perform standard operations, contains a SQL injection vulnerability (CVE-2025-24793). The vulnerability exists in a function from the snowflake.connector.pandas_tools module and affects versions 2.2.5 through 3.13.0. The issue was discovered and remediated by Snowflake, with a fix released in version 3.13.1 (NVD, Snowflake Advisory).

The vulnerability stems from insufficient argument sanitization in the snowflake.connector.pandas_tools module, where certain queries are not properly parametrized. The issue has been assigned a CVSS v3.1 base score of 7.0 (High), with the following vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates that while local access and high attack complexity are required, the potential impact on confidentiality, integrity, and availability is high (GitHub Advisory).

If successfully exploited, an attacker controlling the vulnerable arguments could achieve SQL injection by passing crafted input. Any SQL executed through this vulnerability would run in the context of the current session, potentially leading to unauthorized data access, modification, or deletion of database contents (GitHub Advisory).

Snowflake has released version 3.13.1 of the Snowflake Connector for Python, which contains a patch for this vulnerability. Users are strongly recommended to upgrade to this version to mitigate the risk. The fix involves proper parametrization of SQL queries and improved argument sanitization (Snowflake Advisory, GitHub Commit).