CVE-2023-23608

Name of the Vulnerable Software and Affected Versions Spotipy versions prior to 2.22.1

Description The issue arises when a malicious URI is passed to the library, allowing it to be tricked into performing an operation on a different API endpoint than intended. This is possible because the code used to parse URIs and URLs accepts user data too liberally, enabling an attacker to insert arbitrary characters into the path used for API requests. For example, an attacker can redirect a track lookup via spotifyApi.track() to an arbitrary API endpoint like playlists by including ".." in the URI. The impact depends heavily on how a client application handles a URI from a user and uses the responses it receives from the API.

Recommendations For versions prior to 2.22.1, update to version 2.22.1 to resolve the issue. As a temporary workaround, consider performing stricter parsing of URLs and URIs to minimize the risk of exploitation. Restrict access to sensitive API endpoints to prevent unauthorized operations. Avoid using user-provided URIs directly in API requests until the issue is resolved.