← Back to CVEs

CVE-2025-27154

CRITICAL

9.8

Description

Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions.

CVE Details

CVSS v3.1 Score9.8

SeverityCRITICAL

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published2/27/2025

Last Modified4/7/2025

Sourcenvd

Honeypot Sightings0

Affected Products

spotipy_project:spotipy

Weaknesses (CWE)

CWE-276

References

https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98(security-advisories@github.com)

https://github.com/spotipy-dev/spotipy/commit/1ca453f6ef87a2a9e9876f52b6cb38d13532ccf2(security-advisories@github.com)

https://github.com/spotipy-dev/spotipy/releases/tag/2.25.1(security-advisories@github.com)

https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599(security-advisories@github.com)

https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.