Description

Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions.

INFO

Published Date :

2025-02-27T13:53:54.161Z

Last Modified :

2025-02-27T14:29:50.364Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-27154 vulnerability.

Vendors Products
Spotipy Project
  • Spotipy
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-27154.

URL Resource
https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98 cve-icon cve-icon
https://github.com/spotipy-dev/spotipy/commit/1ca453f6ef87a2a9e9876f52b6cb38d13532ccf2 cve-icon cve-icon
https://github.com/spotipy-dev/spotipy/releases/tag/2.25.1 cve-icon cve-icon
https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact