Skip to content

Data for Breakfast Around the World

Drive impact across your organization with data and agentic intelligence.

register now
security hub
overview
security bulletins
compliance center
trust center
All bulletins

Snowflake Node.js Driver Easy Logging TOCTOU Race Condition

Publication date: 2025-04-28

CVE ID

  • CVE-2025-46328 - TOCTOU race condition in Easy Logging configuration file permission check on Linux/macOS allows a local attacker to control logging.

CWE ID

  • CWE-367 (Time-of-check Time-of-use Race Condition)

CPEs

  • cpe:2.3:a:snowflake:snowflake_connector:*:*:*:*:*:node.js:*:* (versions >= 1.10.0, < 2.0.4)

Affected versions

  • 1.10.0 through 2.0.3

Patched versions:

  • 2.0.4

Description

  • snowflake-connector-nodejs is a NodeJS driver for Snowflake. Versions starting from 1.10.0 to before 2.0.4, are vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition. When using the Easy Logging feature on Linux and macOS the Driver reads logging configuration from a user-provided file. On Linux and macOS the Driver verifies that the configuration file can be written to only by its owner. That check was vulnerable to a TOCTOU race condition and failed to verify that the file owner matches the user running the Driver. This could allow a local attacker with

Where Data Does More

  • 30-day free trial
  • No credit card required
  • Cancel anytime 
start for free
watch a demo