Snowflake JDBC Driver 3.0.13-3.23.0 DEBUG Logging Key Exposure
CVE-2025-27496 Published on March 13, 2025
Snowflake JDBC Driver client-side encryption key in DEBUG logs
Snowflake, a platform for using artificial intelligence in the context of cloud computing, has a vulnerability in the Snowflake JDBC driver ("Driver") in versions 3.0.13 through 3.23.0 of the driver. When the logging level was set to DEBUG, the Driver would log locally the client-side encryption master key of the target stage during the execution of GET/PUT commands. This key by itself does not grant access to any sensitive data without additional access authorizations, and is not logged server-side by Snowflake. Snowflake fixed the issue in version 3.23.1.
Vulnerability Analysis
CVE-2025-27496 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
Affected Versions
snowflakedb snowflake-jdbc Version >= 3.0.13, < 3.23.1 is affected by CVE-2025-27496Vulnerable Packages
The following package name and versions may be associated with CVE-2025-27496
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | net.snowflake:snowflake-jdbc | >= 3.0.13, <= 3.23.0 | 3.23.1 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.