← Voltar para CVEs

CVE-2025-27154

CRITICAL

9.8

Descricao

Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions.

Detalhes CVE

Pontuacao CVSS v3.19.8

SeveridadeCRITICAL

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosNONE

Interacao do usuarioNONE

Publicado2/27/2025

Ultima modificacao4/7/2025

Fontenvd

Avistamentos honeypot0

Produtos afetados

spotipy_project:spotipy

Fraquezas (CWE)

CWE-276

Referencias

https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98(security-advisories@github.com)

https://github.com/spotipy-dev/spotipy/commit/1ca453f6ef87a2a9e9876f52b6cb38d13532ccf2(security-advisories@github.com)

https://github.com/spotipy-dev/spotipy/releases/tag/2.25.1(security-advisories@github.com)

https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599(security-advisories@github.com)

https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.