CVE-2025-24793

Name of the Vulnerable Software and Affected Versions Snowflake Connector for Python versions 2.2.5 through 3.13.0

Description A function from the snowflake.connector.pandas tools module is vulnerable to SQL injection. This issue arises because the function does not sanitize all of its arguments, and queries using them are not parametrized. An attacker controlling these arguments could achieve SQL injection by passing crafted input. Any SQL executed that way by an attacker would still run in the context of the current session.

Recommendations For versions 2.2.5 through 3.13.0, upgrade to version 3.13.1 to fix the issue. As a temporary workaround, consider restricting the use of the vulnerable function from the snowflake.connector.pandas tools module until the upgrade is applied. Avoid using unsanitized input in queries to minimize the risk of exploitation.