SNOW-2176524: Vendored urllib3 is affected by CVE-2025-50181

[mfaafm]

The currently vendored version of urllib3 (1.26.18) is affected by the security vulnerability CVE-2025-50181, see details in the following sources:

• https://nvd.nist.gov/vuln/detail/CVE-2025-50181
• GHSA-pq67-6m6q-mj2v

Therefore, scanners like Nexus IQ from Sonatype report snowflake-connector-python as affected as well. The Sonatype severity is reported as "High risk CVSS score" (CVSS4: 7.1). In the enterprise context, this leads to build failures of pipelines, depending on the settings.

Could you please have a look if there is an upgrade path or the possibility of patching the vendored version to fix it?

[sfc-gh-dszmolka]

thanks @mfaafm for pointing this out! We'll take a look and fix.

[dylantack]

Any chance of removing the vendored libraries soon? Besides the CVEs, this is also breaking all our observability tools (New Relic and OpenTelemetry are both unable to instrument the snowflake requests module).

[sfc-gh-mkubik]

Hi @dylantack, I'm working on it. We're aiming to patch both urllib and requests dependency for the next month release.

[JosephMCP]

Hi @sfc-gh-mkubik any update?

[sfc-gh-dszmolka]

it is on the way (#2498), thank you everyone for your patience! Should be available in the next release, towards the end of August / begin September.