The Snowflake CLI is affected by an improper neutralization vulnerability in its callback template that could allow attackers to execute arbitrary code.

The vulnerability resides in the Snowpark annotation processor callback template. It involves improper neutralization of input, which typically requires a level of access to trigger the template, suggesting that an authenticated user or attacker with influence over the template input could achieve unintended execution.

A CVSS score of 8.8 indicates a high risk of unauthorized code execution within the development or deployment environment. Successful exploitation could lead to the compromise of sensitive credentials, data exfiltration from Snowflake environments, or the injection of malicious logic into automated data pipelines, causing significant reputational and operational damage.

Immediate Action: Upgrade the Snowflake CLI to the latest version as recommended by the vendor to ensure the callback template is properly secured.

Proactive Monitoring: Review CI/CD pipeline execution logs and CLI usage patterns for unexpected command invocations or unauthorized modifications to annotation templates.

Compensating Controls: Implement strict input validation for all scripts or templates interacting with the Snowflake CLI and enforce the principle of least privilege for service accounts utilizing the tool.

Public Exploit Available: false

Security teams must treat this vulnerability with high urgency, particularly in environments where the CLI is integrated into automated workflows. Updating to the latest patched version is the only effective method to neutralize the risk associated with the flawed callback template.