CVE-2025-46329 is a vulnerability identified in the Snowflake Connector for C/C++ (libsnowflakeclient) versions from 0.5.0 up to but not including 2.2.0. The issue arises when the logging level is set to DEBUG, causing the client to log sensitive information locally. Specifically, the client-side encryption master key used for encrypting data in target stages during GET and PUT commands is recorded in local logs. This master key is critical for client-side encryption processes, although possession of this key alone does not grant access to the encrypted data without additional access controls or authorizations. Importantly, this sensitive information is not logged on the Snowflake server side, limiting exposure to local environments where the connector is running. The vulnerability is classified under CWE-532, which concerns the insertion of sensitive information into log files, potentially leading to information disclosure if logs are accessed by unauthorized parties. The issue has been addressed and patched in version 2.2.0 of libsnowflakeclient. The CVSS v3.1 base score is 3.3 (low severity), reflecting limited impact due to the requirement for local access and the fact that the key alone does not compromise data confidentiality fully. Exploitation requires local privileges with at least low-level permissions (PR:L), no user interaction is needed, and the attack vector is local (AV:L). There are no known exploits in the wild at this time.

For European organizations using libsnowflakeclient versions prior to 2.2.0 with DEBUG logging enabled, this vulnerability poses a risk of sensitive information leakage through local log files. If an attacker gains local access to systems running the vulnerable connector, they could extract the client-side encryption master key from logs. While this key alone does not provide direct access to encrypted data, it could facilitate further attacks if combined with other compromised credentials or access rights. This could undermine the confidentiality of sensitive data stored in Snowflake stages, especially in environments with weak local access controls or inadequate log file protections. The impact is primarily on confidentiality, with no direct effect on integrity or availability. Given that many European enterprises rely on Snowflake for data warehousing and analytics, exposure of encryption keys could weaken their data protection posture and potentially violate data protection regulations such as GDPR if sensitive data is indirectly exposed. However, the low CVSS score and absence of known exploits suggest the immediate risk is limited, provided best practices around access control and logging are followed.

1. Upgrade libsnowflakeclient to version 2.2.0 or later, where this vulnerability is patched. 2. Disable DEBUG level logging in production environments to prevent sensitive information from being recorded in logs. 3. Implement strict access controls on systems running the connector to restrict local access only to authorized personnel. 4. Secure log files by enforcing appropriate file permissions and consider encrypting logs at rest to prevent unauthorized reading. 5. Regularly audit and monitor log files for any unauthorized access or suspicious activity. 6. Use centralized logging solutions with controlled access to reduce the risk of local log exposure. 7. Educate developers and system administrators about the risks of verbose logging and the importance of secure key management. 8. Review and strengthen overall key management policies to ensure that possession of the client-side encryption master key alone does not lead to data compromise.