← Zuruck zu CVEs

CVE-2025-27154

CRITICAL

9.8

Beschreibung

Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions.

CVE Details

CVSS v3.1 Bewertung9.8

SchweregradCRITICAL

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienNONE

BenutzerinteraktionNONE

Veroffentlicht2/27/2025

Zuletzt geandert4/7/2025

Quellenvd

Honeypot-Sichtungen0

Betroffene Produkte

spotipy_project:spotipy

Schwachen (CWE)

CWE-276

Referenzen

https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98(security-advisories@github.com)

https://github.com/spotipy-dev/spotipy/commit/1ca453f6ef87a2a9e9876f52b6cb38d13532ccf2(security-advisories@github.com)

https://github.com/spotipy-dev/spotipy/releases/tag/2.25.1(security-advisories@github.com)

https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599(security-advisories@github.com)

https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.