CVE-2025-24795: 
Python vulnerability analysis and mitigation

The Snowflake Connector for Python contains a security vulnerability (CVE-2025-24795) that affects versions 2.3.7 through 3.13.0. When temporary credential caching is enabled on Linux systems, the connector caches temporary credentials locally in a world-readable file, potentially exposing sensitive information. This vulnerability was discovered and remediated by Snowflake, with a fix released in version 3.13.1 (GitHub Advisory).

The vulnerability is related to incorrect default permissions (CWE-276) in the credential caching mechanism. It specifically occurs when using EXTERNALBROWSER or USERNAMEPASSWORDMFA authentication methods with temporary credential caching enabled on Linux systems. The vulnerability has been assigned a CVSS v3.1 score of 4.4 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, indicating local access is required, low attack complexity, and potential impacts to confidentiality and integrity (GitHub Advisory).

The vulnerability could allow unauthorized users on the same system to access cached temporary credentials, potentially leading to unauthorized access to Snowflake resources. The impact is limited to local systems where the connector is installed with temporary credential caching enabled (GitHub Advisory).

Users are strongly recommended to upgrade to Snowflake Connector for Python version 3.13.1 or later, which fixes the vulnerability by implementing proper file permissions for cached credentials (GitHub Advisory).