Security Bulletin: IBM App Connect Enterprise is vulnerable to Remote Code Execution and improper preservation of permissions due to jsonpath-plus & snowflake-sdk (CVE-2025-1302 & CVE-2025-24791)

Summary IBM App Connect Enterprise runtime, IBM App Connect Enterprise Discovery Connectors and IBM App Connect Enterprise Connector Discovery and OpenAPI Editor are vulnerable to Remote Code Execution RCE and improper preservation of permissions due to jsonpath-plus & snowflake-sdk. Vulnerabilit...

Time-of-Check To Time-of-Use (TOCTOU) Race Condition

snowflake-sdk is vulnerable to a Time-of-Check to Time-of-Use TOCTOU race condition. The vulnerability is due to improper validation of file ownership and permissions during logging configuration loading, allowing an attacker to modify the file between the check and its use...

@abaplint/database-snowflake (>=2.7.93 <=2.7.101), @activeboxes/piece-snowflake (=0.0.10) +176 more potentially affected by CVE-2025-46328 via snowflake-sdk (>=1.10.0 <=2.0.2)

snowflake-sdk NPM version =1.10.0, =2.7.93, =0.0.1, =0.0.19, =0.0.5, =8.0.0, =0.1.0, =0.1.0, =1.8.0, =0.0.0, =0.4.4, =0.7.17, =1.0.0, =1.0.2 and more Source cves: CVE-2025-46328 Source advisory: OSV:GHSA-WMJQ-JRM2-9WFR...

@abaplint/database-snowflake (>=2.7.93 <=2.7.101), @activeboxes/piece-snowflake (=0.0.10) +172 more potentially affected by CVE-2025-24791 via snowflake-sdk (>=1.13.1 <=1.9.3)

snowflake-sdk NPM version =1.13.1, =2.7.93, =0.0.1, =0.0.19, =0.0.5, =8.0.0, =1.8.0, =0.0.0, =0.4.4, =0.7.17, =1.0.0, =0.0.2, =1.0.2, =1.0.3 and more Source cves: CVE-2025-24791 Source advisory: OSV:GHSA-XFHV-WQJ6-RX99...

Command Injection

snowflake-sdk is vulnerable to Command Injection. The vulnerability is due the usage of an unsafe eval on user input, which allows an attacker to create a rouge SSO server which when a user connects to results in code injection...