CVE-2025-27154

Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98	Product
https://github.com/spotipy-dev/spotipy/commit/1ca453f6ef87a2a9e9876f52b6cb38d13532ccf2	Patch
https://github.com/spotipy-dev/spotipy/releases/tag/2.25.1	Release Notes
https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599	Exploit Vendor Advisory
https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:spotipy_project:spotipy:*:*:*:*:*:*:*:*

History

07 Apr 2025, 18:24

Type	Values Removed	Values Added
Summary		(es) Spotipy es una librería Python liviana para la API web de Spotify. La clase `CacheHandler` crea un archivo de caché para almacenar el token de autenticación. Antes de la versión 2.25.1, el archivo creado tenía permisos `rw-r--r--` (644) de forma predeterminada, cuando podía limitarse a permisos `rw-------` (600). Esto conduce a una exposición demasiado amplia del token de autenticación de Spotify. Si un atacante puede leer este token (otro usuario en la máquina o un proceso que se ejecuta como otro usuario), se puede usar para realizar acciones administrativas en la cuenta de Spotify, según el alcance otorgado al token. La versión 2.25.1 restringe los permisos del archivo de caché.
First Time		Spotipy Project Spotipy Project spotipy
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
References	~~() https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98 -~~	() https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98 - Product
References	~~() https://github.com/spotipy-dev/spotipy/commit/1ca453f6ef87a2a9e9876f52b6cb38d13532ccf2 -~~	() https://github.com/spotipy-dev/spotipy/commit/1ca453f6ef87a2a9e9876f52b6cb38d13532ccf2 - Patch
References	~~() https://github.com/spotipy-dev/spotipy/releases/tag/2.25.1 -~~	() https://github.com/spotipy-dev/spotipy/releases/tag/2.25.1 - Release Notes
References	~~() https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599 -~~	() https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599 - Exploit, Vendor Advisory
CPE		cpe:2.3:a:spotipy_project:spotipy::::::::

27 Feb 2025, 15:15

Type	Values Removed	Values Added
References	~~() https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599 -~~	() https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599 -

27 Feb 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-27 14:15

Updated : 2025-04-07 18:24

NVD link : CVE-2025-27154

Mitre link : CVE-2025-27154

CVE.ORG link : CVE-2025-27154

JSON object : View

Products Affected

spotipy_project

spotipy

CWE

CWE-276

Incorrect Default Permissions

{"id": "CVE-2025-27154", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.4, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-02-27T14:15:36.180", "references": [{"url": "https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/spotipy-dev/spotipy/commit/1ca453f6ef87a2a9e9876f52b6cb38d13532ccf2", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/spotipy-dev/spotipy/releases/tag/2.25.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-276"}]}], "descriptions": [{"lang": "en", "value": "Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions."}, {"lang": "es", "value": "Spotipy es una librer\u00eda Python liviana para la API web de Spotify. La clase `CacheHandler` crea un archivo de cach\u00e9 para almacenar el token de autenticaci\u00f3n. Antes de la versi\u00f3n 2.25.1, el archivo creado ten\u00eda permisos `rw-r--r--` (644) de forma predeterminada, cuando pod\u00eda limitarse a permisos `rw-------` (600). Esto conduce a una exposici\u00f3n demasiado amplia del token de autenticaci\u00f3n de Spotify. Si un atacante puede leer este token (otro usuario en la m\u00e1quina o un proceso que se ejecuta como otro usuario), se puede usar para realizar acciones administrativas en la cuenta de Spotify, seg\u00fan el alcance otorgado al token. La versi\u00f3n 2.25.1 restringe los permisos del archivo de cach\u00e9."}], "lastModified": "2025-04-07T18:24:53.463", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:spotipy_project:spotipy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1AF757A1-6C8E-4387-945F-5A3CB03316BE", "versionEndExcluding": "2.25.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}

9.8 /10