x/vulndb: potential Go vuln in github.com/snowflakedb/gosnowflake: CVE-2025-46327

[GoVulnBot]

Advisory CVE-2025-46327 references a vulnerability in the following Go modules:

Module
github.com/snowflakedb/gosnowflake

Description:
gosnowflake is the Snowflake Golang driver. Versions starting from 1.7.0 to before 1.13.3, are vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition. When using the Easy Logging feature on Linux and macOS, the Driver reads logging configuration from a user-provided file. On Linux and macOS the Driver verifies that the configuration file can be written to only by its owner. That check was vulnerable to a TOCTOU race condition and failed to verify that the file owner matches the user running the Driver. This could allow a local attacker with write access to the configuration file ...

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-46327
• FIX: snowflakedb/gosnowflake@ba94a48
• WEB: GHSA-6jgm-j7h2-2fqg

Cross references:

• github.com/snowflakedb/gosnowflake appears in 1 other report(s):
  • data/excluded/GO-2023-1846.yaml (x/vulndb: potential Go vuln in github.com/snowflakedb/gosnowflake: CVE-2023-34231 #1846) NOT_A_VULNERABILITY

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/snowflakedb/gosnowflake
      vulnerable_at: 1.13.3
summary: CVE-2025-46327 in github.com/snowflakedb/gosnowflake
cves:
    - CVE-2025-46327
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-46327
    - fix: https://github.com/snowflakedb/gosnowflake/commit/ba94a4800e23621eff558ef18ce4b96ec5489ff0
    - web: https://github.com/snowflakedb/gosnowflake/security/advisories/GHSA-6jgm-j7h2-2fqg
source:
    id: CVE-2025-46327
    created: 2025-04-29T00:01:11.993852066Z
review_status: UNREVIEWED

[thatnealpatel]

Duplicate of #3650