CVE-2025-46328: 
JavaScript vulnerability analysis and mitigation

CVE-2025-46328 affects the snowflake-connector-nodejs, a NodeJS driver for Snowflake, in versions from 1.10.0 to before 2.0.4. The vulnerability was discovered and disclosed on April 28, 2025. It involves a Time-of-Check to Time-of-Use (TOCTOU) race condition in the Easy Logging feature when running on Linux and macOS systems (GitHub Advisory, NVD).

The vulnerability occurs in the Easy Logging feature's file permission verification mechanism. When the Driver reads logging configuration from a user-provided file on Linux and macOS, it attempts to verify that the configuration file can be written to only by its owner. However, this check was vulnerable to a TOCTOU race condition and failed to verify that the file owner matches the user running the Driver. The vulnerability has been assigned a CVSS v3.1 base score of 3.3 (Low) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (GitHub Advisory).

This vulnerability could allow a local attacker with write access to the configuration file or the directory containing it to overwrite the configuration and gain control over logging level and output location (GitHub Advisory).

The vulnerability has been patched in version 2.0.4 of the NodeJS Driver for Snowflake. Users are recommended to upgrade to this version to address the security issue (GitHub Advisory).