Skip to content

SNOW-2176524: Vendored urllib3 is affected by CVE-2025-50181 #2377

New issue
New issue
Open
Open
SNOW-2176524: Vendored urllib3 is affected by CVE-2025-50181#2377
Assignees
sfc-gh-snow-drivers-warsaw-dl
Labels
security vulnerabilitySecurity vulnerability detected by WhiteSourcestatus-triage_doneInitial triage done, will be further handled by the driver team
@mfaafm

Description

@mfaafm
mfaafm
opened on Jun 26, 2025

The currently vendored version of urllib3 (1.26.18) is affected by the security vulnerability CVE-2025-50181, see details in the following sources:

Therefore, scanners like Nexus IQ from Sonatype report snowflake-connector-python as affected as well. The Sonatype severity is reported as "High risk CVSS score" (CVSS4: 7.1). In the enterprise context, this leads to build failures of pipelines, depending on the settings.

Could you please have a look if there is an upgrade path or the possibility of patching the vendored version to fix it?

Metadata

Metadata

Assignees

Labels

security vulnerabilitySecurity vulnerability detected by WhiteSourcestatus-triage_doneInitial triage done, will be further handled by the driver team

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions