CVE ID
- CVE-2025-24792 - Executing unsupported PUT or GET queries on stages causes a signed-to-unsigned conversion error that crashes the application.
CWE ID
- CWE-195 (Signed to Unsigned Conversion Error)
CPEs
- Not yet assigned (Awaiting NVD Analysis)
Affected versions
- 0.2.0 through 3.0.3
Patched versions:
- 3.1.0
Description
- Snowflake PHP PDO Driver is a driver that uses the PHP Data Objects (PDO) extension to connect to the Snowflake database. Snowflake discovered and remediated a vulnerability in the Snowflake PHP PDO Driver where executing unsupported queries like PUT or GET on stages causes a signed-to-unsigned conversion error that crashes the application using the Driver. This vulnerability affects versions 0.2.0 through 3.0.3. Snowflake fixed the issue in version 3.1.0.
Resolution
- Upgrade to Snowflake PHP PDO Driver version 3.1.0 or later.
CVE ID
CVE-2025-24788
CVE ID Summary
Files downloaded from stages are temporarily placed in a world-readable local directory on Linux and macOS, accessible to unauthorized local users.
CWE ID
CWE-276 (Incorrect Default Permissions)
CPEs
cpe:2.3:a:snowflake:snowflake_connector:*:*:*:*:*:.net:*:* (versions >= 2.0.12, < 4.3.0)
Affected Versions
2.0.12 through 4.2.0 (Linux/macOS)
Patched Versions
4.3.0
Description
snowflake-connector-net is the Snowflake Connector for .NET. Snowflake discovered and remediated a vulnerability in the Snowflake Connector for .NET in which files downloaded from stages are temporarily placed in a world-readable local directory, making them accessible to unauthorized users on the same machine. This vulnerability affects versions 2.0.12 through 4.2.0 on Linux and macOS. Snowflake fixed the issue in version 4.3.0.
Resolution
Upgrade to Snowflake Connector for .NET version 4.3.0 or later.
