CVE-2025-46328

Name of the Vulnerable Software and Affected Versions snowflake-connector-nodejs versions 1.10.0 through 2.0.4

Description The issue concerns a Time-of-Check to Time-of-Use (TOCTOU) race condition. When using the Easy Logging feature on Linux and macOS, the driver reads logging configuration from a user-provided file. The driver verifies that the configuration file can be written to only by its owner, but this check is vulnerable to a TOCTOU race condition and fails to verify that the file owner matches the user running the driver. This could allow a local attacker with write access to the configuration file or the directory containing it to overwrite the configuration and gain control over logging level and output location.

Recommendations For snowflake-connector-nodejs versions 1.10.0 through 2.0.4, update to version 2.0.4 or later to resolve the issue. As a temporary workaround, consider restricting write access to the configuration file and the directory containing it to prevent potential exploitation.