CVE-2025-46327 — Time-of-check Time-of-use (TOCTOU) Race Condition in Snowflakedb Gosnowflake

CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition5 documents4 sources

Severity

7.0HIGHNVD

EPSS

0.0%

top 87.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Snowflakedb Gosnowflake Snowflake Gosnowflake Snowflakedb Gosnowflake +10 more

Timeline

PublishedApr 28

Latest updateMay 5

Description

gosnowflake is the Snowflake Golang driver. Versions starting from 1.7.0 to before 1.13.3, are vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition. When using the Easy Logging feature on Linux and macOS, the Driver reads logging configuration from a user-provided file. On Linux and macOS the Driver verifies that the configuration file can be written to only by its owner. That check was vulnerable to a TOCTOU race condition and failed to verify that the file owner matches the use…

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages13 packages

▶NVDsnowflake/gosnowflake1.7.0 — 1.13.3

▶Gogithub.com/snowflakedb_gosnowflake1.7.0 — 1.13.3

▶CVEListV5snowflakedb/gosnowflake>= 1.7.0, < 1.13.3

▶msrcmsrc/azl3_telegraf_1.31.0-10_on_azure_linux_3.0

▶msrcmsrc/azl3_telegraf_1.31.0-11_on_azure_linux_3.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

Go Snowflake Driver has race condition checking access to Easy Logging config file in github.com/snowflakedb/gosnowflake↗2025-05-05

▶

OSV

Go Snowflake Driver has race condition when checking access to Easy Logging configuration file↗2025-04-28

▶

GHSA

Go Snowflake Driver has race condition when checking access to Easy Logging configuration file↗2025-04-28

▶

📋Vendor Advisories

Microsoft

Go Snowflake Driver has race condition when checking access to Easy Logging configuration file↗2025-04-08

▶