Platform
java
Component
net.snowflake:snowflake-jdbc
Fixed in
4.0.1
4.0.2
4.0.2
A weakness has been identified in Snowflake JDBC Driver versions up to 4.0.1. This vulnerability affects the SdkProxyRoutePlanner function within the JDBC URL Handler component, specifically concerning the handling of the nonProxyHosts argument. Successful exploitation could lead to inefficient regular expression complexity, potentially impacting system resources. A patch is available to address this issue.
The vulnerability lies in the way the Snowflake JDBC Driver handles the nonProxyHosts argument within the SdkProxyRoutePlanner function. An attacker, operating locally, can craft a malicious input that triggers an inefficient regular expression. This can lead to excessive CPU usage and potentially denial of service, as the system struggles to process the complex regex. While the impact is considered LOW due to the local execution requirement, the potential for resource exhaustion warrants prompt remediation. The availability of a public exploit increases the risk of exploitation.
The exploit for CVE-2026-3293 has been publicly released, increasing the likelihood of exploitation. The vulnerability is considered LOW severity based on its CVSS score and the requirement for local execution. It is not currently listed on the CISA KEV catalog. Active campaigns targeting this specific vulnerability are not currently known, but the public availability of the exploit warrants vigilance.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3293 is to upgrade to a patched version of the Snowflake JDBC Driver. The patch identifier is 5fb0a8a318a2ed87f4022a1f56e742424ba94052. Before upgrading, assess the potential impact on existing applications and consider a staged rollout. If an immediate upgrade is not feasible, consider implementing input validation on the nonProxyHosts parameter to restrict the complexity of the provided values. After upgrade, confirm the fix by attempting to trigger the vulnerable function with a complex nonProxyHosts value and verifying that it does not result in excessive resource consumption.
Update the snowflake-jdbc library to a version later than 4.0.1 that contains the fix for the ReDoS vulnerability in the SdkProxyRoutePlanner function. Refer to the snowflake-jdbc release notes for more details about the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3293 is a LOW severity vulnerability in Snowflake JDBC Driver versions up to 4.0.1. It allows manipulation of the nonProxyHosts argument to cause inefficient regular expression complexity, potentially leading to resource exhaustion.
Yes, if you are using Snowflake JDBC Driver version 4.0.1 or earlier, you are potentially affected by this vulnerability. Upgrade to the patched version to mitigate the risk.
Upgrade to a patched version of Snowflake JDBC Driver with patch identifier 5fb0a8a318a2ed87f4022a1f56e742424ba94052. Consider input validation as a temporary workaround.
While active campaigns are not currently known, a public exploit is available, increasing the risk of exploitation. Vigilance and prompt patching are recommended.
Refer to the Snowflake security advisories page for the latest information and official guidance regarding CVE-2026-3293: [https://security.snowflake.com/](https://security.snowflake.com/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.