Critical Snowplow Security Updates & Impact on Open Source Software Users

Action may be required.

Users of Snowplow Open Source Software releases (pre-2024) should be aware that we have recently released security patches for 5 recently discovered CVEs, 4 of which are critical DOS type issues.

In line with responsible disclosure practices, we have filed these vulnerabilities with cve.org and in 90 days (April 2025), we will publicly disclose the technical details, allowing time for our subscription customers to upgrade before the exploit details are publicly disclosed.

If you are a Snowplow Open Source user you can access the latest code containing the security patch today, but note that the Snowplow Limited Use License restricts usage of this software in a production environment. To remove this restriction, please reach out to the Snowplow team.

If you are a Snowplow HA Pipeline customer, you may freely apply these patches today. Please contact Snowplow Customer Support if you did not receive upgrade instructions.

If you are a Snowplow BDP customer, you do not have to worry, as no action is required. Your software has already been patched.