CVE-2025-24794: 
Python vulnerability analysis and mitigation

The Snowflake Connector for Python contains a vulnerability (CVE-2025-24794) where the OCSP response cache uses pickle as the serialization format, potentially leading to local privilege escalation. This vulnerability affects versions 2.7.12 through 3.13.0 of the connector. The issue was discovered and remediated by Snowflake, with a fix released in version 3.13.1 (GitHub Advisory, NVD).

The vulnerability exists in the OCSP response cache implementation where the pickle serialization format is used for storing cache data locally. The cache is saved on the machine running the Connector, and due to the insecure nature of pickle deserialization, this could be exploited if an attacker gains write access to the OCSP response cache file. The vulnerability has been assigned a CVSS v3.1 base score of 6.7 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating local access is required but potential impact is high (GitHub Advisory).

If exploited, this vulnerability could lead to local privilege escalation. The high impact ratings for Confidentiality, Integrity, and Availability (all rated as High) indicate that successful exploitation could result in significant unauthorized access to data, system modifications, and potential service disruptions (GitHub Advisory).

The recommended mitigation is to upgrade to Snowflake Connector for Python version 3.13.1 or later, which contains the fix for this vulnerability. No alternative workarounds have been provided (GitHub Advisory, Snowflake Advisory).