Description
A weakness has been identified in snowflakedb snowflake-jdbc up to 4.0.1. Impacted is the function SdkProxyRoutePlanner of the file src/main/java/net/snowflake/client/internal/core/SdkProxyRoutePlanner.java of the component JDBC URL Handler. Executing a manipulation of the argument nonProxyHosts can lead to inefficient regular expression complexity. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 5fb0a8a318a2ed87f4022a1f56e742424ba94052. A patch should be applied to remediate this issue.
Published: 2026-02-27
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Regular Expression DoS
Action: Apply Patch
AI Analysis

Impact

The SdkProxyRoutePlanner component of the Snowflake JDBC driver fails to validate the nonProxyHosts argument, allowing an attacker who can supply malicious input to craft a regular expression that triggers excessive CPU usage and memory consumption. This leads to Resource Exhaustion, disrupting the availability of the database client. The weakness is a classic Regular Expression Denial of Service flaw, identified as CWE‑1333 and also linked to unbounded resource consumption (CWE‑400).

Affected Systems

Snowflake JDBC drivers up to version 4.0.1 are affected. The vendor product is Snowflake JDBC from snowflakedb, and the vulnerability exists until the patch that incorporates commit 5fb0a8a318a2ed87f4022a1f56e742424ba94052, which is contained in later releases.

Risk and Exploitability

The CVSS score is 4.8, indicating a medium severity. The EPSS score is below 1 %, which means the likelihood of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. The attacker must have local access to the system running the JDBC driver, as the description notes that the attack can only be executed locally. Consequently, while the impact is limited to availability for local users, the overall risk for remote attackers remains low.

Generated by OpenCVE AI on April 16, 2026 at 15:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Snowflake JDBC driver to the patched version that includes commit 5fb0a8a318a2ed87f4022a1f56e742424ba94052 or newer, which resolves the regular expression issue.
  • If an immediate upgrade is not possible, modify your application configurations to remove or sanitize any user‑supplied values for the nonProxyHosts parameter in JDBC URLs.
  • Limit local deployment of the JDBC driver to trusted environments and monitor CPU usage for abnormal spikes; consider resource‑limits or isolation policies to mitigate potential DoS effects.

Generated by OpenCVE AI on April 16, 2026 at 15:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gx6c-pv62-9mcf Snowflake JDBC Driver is Vulnerable to Uncontrolled Resource Consumption through SdkProxyRoutePlanner
History

Mon, 02 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:snowflake:snowflake_jdbc:*:*:*:*:*:*:*:*

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Snowflake
Snowflake snowflake Jdbc
Vendors & Products Snowflake
Snowflake snowflake Jdbc

Sat, 28 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 05:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in snowflakedb snowflake-jdbc up to 4.0.1. Impacted is the function SdkProxyRoutePlanner of the file src/main/java/net/snowflake/client/internal/core/SdkProxyRoutePlanner.java of the component JDBC URL Handler. Executing a manipulation of the argument nonProxyHosts can lead to inefficient regular expression complexity. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 5fb0a8a318a2ed87f4022a1f56e742424ba94052. A patch should be applied to remediate this issue.
Title snowflakedb snowflake-jdbc JDBC URL SdkProxyRoutePlanner.java SdkProxyRoutePlanner redos
Weaknesses CWE-1333
CWE-400
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Snowflake Snowflake Jdbc
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-27T18:53:38.099Z

Reserved: 2026-02-26T18:34:00.508Z

Link: CVE-2026-3293

cve-icon Vulnrichment

Updated: 2026-02-27T18:53:34.765Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T06:18:00.250

Modified: 2026-03-02T15:17:33.013

Link: CVE-2026-3293

cve-icon Redhat

Severity : Low

Publid Date: 2026-02-27T05:32:09Z

Links: CVE-2026-3293 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:45:16Z

Weaknesses