Description

Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication. This issue has been patched in version 2.25.2.

INFO

Published Date :

2025-11-26T23:14:44.795Z

Last Modified :

2025-11-28T15:25:40.139Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-66040 vulnerability.

Vendors Products
Spotipy Project
  • Spotipy
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-66040.

URL Resource
https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767 cve-icon cve-icon
https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact