PT-2025-8943 · Spotipy · Spotipy

Alichtman

Published

2025-02-27

Updated

2025-03-03

CVE-2025-27154

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Spotipy versions prior to 2.25.1

Description The issue concerns the CacheHandler class in Spotipy, which creates a cache file to store the auth token with overly broad permissions. This allows potential exposure of the Spotify auth token, which could be read by an attacker, such as another user on the machine or a process running as another user. If accessed, the token can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token.

Recommendations For versions prior to 2.25.1, update to version 2.25.1 to tighten the cache file permissions and prevent overly broad exposure of the Spotify auth token.

Exploit

Fix

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-276

Related Identifiers

CVE-2025-27154

GHSA-PWHH-Q4H6-W599

OPENSUSE-SU-2025:14847-1

Affected Products

Spotipy

PT-2025-8943 · Spotipy · Spotipy

CVE-2025-27154

Weakness Enumeration

Related Identifiers

Affected Products

References · 27