CVE-2025-47928

Name of the Vulnerable Software and Affected Versions: Spotipy versions prior to the commit that reverted the change (commit 9dfb7177b8d7bb98a5a6014f8e6436812a47576f)

Description: The issue concerns the use of pull request target in .github/workflows/integration tests.yml, which can be exploited by attackers to execute untrusted code with full access to secrets from the base repository. This can lead to the exfiltration of sensitive information, including GITHUB TOKEN, SPOTIPY CLIENT ID, and SPOTIPY CLIENT SECRET. The GITHUB TOKEN can be used to completely take over the repository due to its content write privileges. This is a major security concern, especially in public repositories, as it allows the execution of untrusted code from a pull request with the context of the base repository.

Recommendations: As a temporary workaround, consider disabling the use of pull request target in .github/workflows/integration tests.yml until a patch is available. Restrict access to secrets, such as GITHUB TOKEN, SPOTIPY CLIENT ID, and SPOTIPY CLIENT SECRET, to minimize the risk of exploitation. Update to a version that includes the commit 9dfb7177b8d7bb98a5a6014f8e6436812a47576f, which reverted the change that caused the issue.