CVE-2025-27154 (GCVE-0-2025-27154)
Vulnerability from cvelistv5
Published
2025-02-27 13:53
Modified
2025-02-27 14:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-276 - Incorrect Default Permissions
Summary
Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| spotipy-dev | spotipy |
Version: < 2.25.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27154",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T14:29:34.168048Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T14:29:50.364Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "spotipy",
"vendor": "spotipy-dev",
"versions": [
{
"status": "affected",
"version": "\u003c 2.25.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276: Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T13:53:54.161Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599"
},
{
"name": "https://github.com/spotipy-dev/spotipy/commit/1ca453f6ef87a2a9e9876f52b6cb38d13532ccf2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/spotipy-dev/spotipy/commit/1ca453f6ef87a2a9e9876f52b6cb38d13532ccf2"
},
{
"name": "https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98"
},
{
"name": "https://github.com/spotipy-dev/spotipy/releases/tag/2.25.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/spotipy-dev/spotipy/releases/tag/2.25.1"
}
],
"source": {
"advisory": "GHSA-pwhh-q4h6-w599",
"discovery": "UNKNOWN"
},
"title": "Spotipy\u0027s cache file, containing spotify auth token, is created with overly broad permissions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27154",
"datePublished": "2025-02-27T13:53:54.161Z",
"dateReserved": "2025-02-19T16:30:47.780Z",
"dateUpdated": "2025-02-27T14:29:50.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-27154\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-02-27T14:15:36.180\",\"lastModified\":\"2025-04-07T18:24:53.463\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions.\"},{\"lang\":\"es\",\"value\":\"Spotipy es una librer\u00eda Python liviana para la API web de Spotify. La clase `CacheHandler` crea un archivo de cach\u00e9 para almacenar el token de autenticaci\u00f3n. Antes de la versi\u00f3n 2.25.1, el archivo creado ten\u00eda permisos `rw-r--r--` (644) de forma predeterminada, cuando pod\u00eda limitarse a permisos `rw-------` (600). Esto conduce a una exposici\u00f3n demasiado amplia del token de autenticaci\u00f3n de Spotify. Si un atacante puede leer este token (otro usuario en la m\u00e1quina o un proceso que se ejecuta como otro usuario), se puede usar para realizar acciones administrativas en la cuenta de Spotify, seg\u00fan el alcance otorgado al token. La versi\u00f3n 2.25.1 restringe los permisos del archivo de cach\u00e9.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-276\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:spotipy_project:spotipy:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.25.1\",\"matchCriteriaId\":\"1AF757A1-6C8E-4387-945F-5A3CB03316BE\"}]}]}],\"references\":[{\"url\":\"https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/spotipy-dev/spotipy/commit/1ca453f6ef87a2a9e9876f52b6cb38d13532ccf2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/spotipy-dev/spotipy/releases/tag/2.25.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"Spotipy\u0027s cache file, containing spotify auth token, is created with overly broad permissions\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-276\", \"lang\": \"en\", \"description\": \"CWE-276: Incorrect Default Permissions\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV4_0\": {\"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"baseScore\": 8.4, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N\", \"version\": \"4.0\"}}], \"references\": [{\"name\": \"https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599\"}, {\"name\": \"https://github.com/spotipy-dev/spotipy/commit/1ca453f6ef87a2a9e9876f52b6cb38d13532ccf2\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/spotipy-dev/spotipy/commit/1ca453f6ef87a2a9e9876f52b6cb38d13532ccf2\"}, {\"name\": \"https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98\"}, {\"name\": \"https://github.com/spotipy-dev/spotipy/releases/tag/2.25.1\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/spotipy-dev/spotipy/releases/tag/2.25.1\"}], \"affected\": [{\"vendor\": \"spotipy-dev\", \"product\": \"spotipy\", \"versions\": [{\"version\": \"\u003c 2.25.1\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-02-27T13:53:54.161Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions.\"}], \"source\": {\"advisory\": \"GHSA-pwhh-q4h6-w599\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-27154\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-27T14:29:34.168048Z\"}}}], \"references\": [{\"url\": \"https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-27T14:29:46.779Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2025-27154\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2025-02-19T16:30:47.780Z\", \"datePublished\": \"2025-02-27T13:53:54.161Z\", \"dateUpdated\": \"2025-02-27T14:29:50.364Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
opensuse-su-2025:14847-1
Vulnerability from csaf_opensuse
Published
2025-02-28 00:00
Modified
2025-02-28 00:00
Summary
python311-spotipy-2.25.1-1.1 on GA media
Notes
Title of the patch
python311-spotipy-2.25.1-1.1 on GA media
Description of the patch
These are all security issues fixed in the python311-spotipy-2.25.1-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2025-14847
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python311-spotipy-2.25.1-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python311-spotipy-2.25.1-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-14847",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14847-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-27154 page",
"url": "https://www.suse.com/security/cve/CVE-2025-27154/"
}
],
"title": "python311-spotipy-2.25.1-1.1 on GA media",
"tracking": {
"current_release_date": "2025-02-28T00:00:00Z",
"generator": {
"date": "2025-02-28T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:14847-1",
"initial_release_date": "2025-02-28T00:00:00Z",
"revision_history": [
{
"date": "2025-02-28T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-spotipy-2.25.1-1.1.aarch64",
"product": {
"name": "python311-spotipy-2.25.1-1.1.aarch64",
"product_id": "python311-spotipy-2.25.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python312-spotipy-2.25.1-1.1.aarch64",
"product": {
"name": "python312-spotipy-2.25.1-1.1.aarch64",
"product_id": "python312-spotipy-2.25.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-spotipy-2.25.1-1.1.aarch64",
"product": {
"name": "python313-spotipy-2.25.1-1.1.aarch64",
"product_id": "python313-spotipy-2.25.1-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-spotipy-2.25.1-1.1.ppc64le",
"product": {
"name": "python311-spotipy-2.25.1-1.1.ppc64le",
"product_id": "python311-spotipy-2.25.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python312-spotipy-2.25.1-1.1.ppc64le",
"product": {
"name": "python312-spotipy-2.25.1-1.1.ppc64le",
"product_id": "python312-spotipy-2.25.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-spotipy-2.25.1-1.1.ppc64le",
"product": {
"name": "python313-spotipy-2.25.1-1.1.ppc64le",
"product_id": "python313-spotipy-2.25.1-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-spotipy-2.25.1-1.1.s390x",
"product": {
"name": "python311-spotipy-2.25.1-1.1.s390x",
"product_id": "python311-spotipy-2.25.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python312-spotipy-2.25.1-1.1.s390x",
"product": {
"name": "python312-spotipy-2.25.1-1.1.s390x",
"product_id": "python312-spotipy-2.25.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-spotipy-2.25.1-1.1.s390x",
"product": {
"name": "python313-spotipy-2.25.1-1.1.s390x",
"product_id": "python313-spotipy-2.25.1-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-spotipy-2.25.1-1.1.x86_64",
"product": {
"name": "python311-spotipy-2.25.1-1.1.x86_64",
"product_id": "python311-spotipy-2.25.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python312-spotipy-2.25.1-1.1.x86_64",
"product": {
"name": "python312-spotipy-2.25.1-1.1.x86_64",
"product_id": "python312-spotipy-2.25.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-spotipy-2.25.1-1.1.x86_64",
"product": {
"name": "python313-spotipy-2.25.1-1.1.x86_64",
"product_id": "python313-spotipy-2.25.1-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-spotipy-2.25.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-spotipy-2.25.1-1.1.aarch64"
},
"product_reference": "python311-spotipy-2.25.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-spotipy-2.25.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-spotipy-2.25.1-1.1.ppc64le"
},
"product_reference": "python311-spotipy-2.25.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-spotipy-2.25.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-spotipy-2.25.1-1.1.s390x"
},
"product_reference": "python311-spotipy-2.25.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-spotipy-2.25.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-spotipy-2.25.1-1.1.x86_64"
},
"product_reference": "python311-spotipy-2.25.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-spotipy-2.25.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-spotipy-2.25.1-1.1.aarch64"
},
"product_reference": "python312-spotipy-2.25.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-spotipy-2.25.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-spotipy-2.25.1-1.1.ppc64le"
},
"product_reference": "python312-spotipy-2.25.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-spotipy-2.25.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-spotipy-2.25.1-1.1.s390x"
},
"product_reference": "python312-spotipy-2.25.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-spotipy-2.25.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-spotipy-2.25.1-1.1.x86_64"
},
"product_reference": "python312-spotipy-2.25.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-spotipy-2.25.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-spotipy-2.25.1-1.1.aarch64"
},
"product_reference": "python313-spotipy-2.25.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-spotipy-2.25.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-spotipy-2.25.1-1.1.ppc64le"
},
"product_reference": "python313-spotipy-2.25.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-spotipy-2.25.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-spotipy-2.25.1-1.1.s390x"
},
"product_reference": "python313-spotipy-2.25.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-spotipy-2.25.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-spotipy-2.25.1-1.1.x86_64"
},
"product_reference": "python313-spotipy-2.25.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-27154",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-27154"
}
],
"notes": [
{
"category": "general",
"text": "Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-spotipy-2.25.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-spotipy-2.25.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-spotipy-2.25.1-1.1.s390x",
"openSUSE Tumbleweed:python311-spotipy-2.25.1-1.1.x86_64",
"openSUSE Tumbleweed:python312-spotipy-2.25.1-1.1.aarch64",
"openSUSE Tumbleweed:python312-spotipy-2.25.1-1.1.ppc64le",
"openSUSE Tumbleweed:python312-spotipy-2.25.1-1.1.s390x",
"openSUSE Tumbleweed:python312-spotipy-2.25.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-spotipy-2.25.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-spotipy-2.25.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-spotipy-2.25.1-1.1.s390x",
"openSUSE Tumbleweed:python313-spotipy-2.25.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-27154",
"url": "https://www.suse.com/security/cve/CVE-2025-27154"
},
{
"category": "external",
"summary": "SUSE Bug 1238059 for CVE-2025-27154",
"url": "https://bugzilla.suse.com/1238059"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-spotipy-2.25.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-spotipy-2.25.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-spotipy-2.25.1-1.1.s390x",
"openSUSE Tumbleweed:python311-spotipy-2.25.1-1.1.x86_64",
"openSUSE Tumbleweed:python312-spotipy-2.25.1-1.1.aarch64",
"openSUSE Tumbleweed:python312-spotipy-2.25.1-1.1.ppc64le",
"openSUSE Tumbleweed:python312-spotipy-2.25.1-1.1.s390x",
"openSUSE Tumbleweed:python312-spotipy-2.25.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-spotipy-2.25.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-spotipy-2.25.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-spotipy-2.25.1-1.1.s390x",
"openSUSE Tumbleweed:python313-spotipy-2.25.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python311-spotipy-2.25.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-spotipy-2.25.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-spotipy-2.25.1-1.1.s390x",
"openSUSE Tumbleweed:python311-spotipy-2.25.1-1.1.x86_64",
"openSUSE Tumbleweed:python312-spotipy-2.25.1-1.1.aarch64",
"openSUSE Tumbleweed:python312-spotipy-2.25.1-1.1.ppc64le",
"openSUSE Tumbleweed:python312-spotipy-2.25.1-1.1.s390x",
"openSUSE Tumbleweed:python312-spotipy-2.25.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-spotipy-2.25.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-spotipy-2.25.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-spotipy-2.25.1-1.1.s390x",
"openSUSE Tumbleweed:python313-spotipy-2.25.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-02-28T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2025-27154"
}
]
}
fkie_cve-2025-27154
Vulnerability from fkie_nvd
Published
2025-02-27 14:15
Modified
2025-04-07 18:24
Severity ?
Summary
Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| spotipy_project | spotipy | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:spotipy_project:spotipy:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1AF757A1-6C8E-4387-945F-5A3CB03316BE",
"versionEndExcluding": "2.25.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions."
},
{
"lang": "es",
"value": "Spotipy es una librer\u00eda Python liviana para la API web de Spotify. La clase `CacheHandler` crea un archivo de cach\u00e9 para almacenar el token de autenticaci\u00f3n. Antes de la versi\u00f3n 2.25.1, el archivo creado ten\u00eda permisos `rw-r--r--` (644) de forma predeterminada, cuando pod\u00eda limitarse a permisos `rw-------` (600). Esto conduce a una exposici\u00f3n demasiado amplia del token de autenticaci\u00f3n de Spotify. Si un atacante puede leer este token (otro usuario en la m\u00e1quina o un proceso que se ejecuta como otro usuario), se puede usar para realizar acciones administrativas en la cuenta de Spotify, seg\u00fan el alcance otorgado al token. La versi\u00f3n 2.25.1 restringe los permisos del archivo de cach\u00e9."
}
],
"id": "CVE-2025-27154",
"lastModified": "2025-04-07T18:24:53.463",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-02-27T14:15:36.180",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/spotipy-dev/spotipy/commit/1ca453f6ef87a2a9e9876f52b6cb38d13532ccf2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/spotipy-dev/spotipy/releases/tag/2.25.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
ghsa-pwhh-q4h6-w599
Vulnerability from github
Published
2025-02-28 02:34
Modified
2025-02-28 02:34
Severity ?
VLAI Severity ?
Summary
Spotipy's cache file, containing spotify auth token, is created with overly broad permissions
Details
Summary
The CacheHandler class creates a cache file to store the auth token here: https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98
The file created has rw-r--r-- (644) permissions by default, when it could be locked down to rw------- (600) permissions. I think 600 is a sensible default.
Details
This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token.
PoC
Run an application that uses spotipy with client creation like this:
```python from pathlib import Path import spotipy from os import getenv
def create_spotify_client(client_id: str, client_secret: str) -> spotipy.Spotify: """Create and return an authenticated Spotify client.
Args:
client_id: Spotify API client ID
client_secret: Spotify API client secret
Returns:
An authenticated Spotify client instance
"""
cache_path = Path.home() / ".cache" / "spotify-backup/.auth_cache"
cache_path.parent.mkdir(parents=True, exist_ok=True)
cache_handler = spotipy.cache_handler.CacheFileHandler(cache_path=str(cache_path))
client = spotipy.Spotify(
auth_manager=spotipy.oauth2.SpotifyOAuth(
client_id=client_id,
client_secret=client_secret,
redirect_uri="http://localhost:8000/callback",
cache_handler=cache_handler,
scope=[
"user-library-read",
"playlist-read-private",
"playlist-read-collaborative",
],
)
)
return client
create_spotify_client() ```
And then check the file permissions on the cache file that was created with:
bash
$ ls -la ~/.cache/spotify-backup/.auth_cache`
.rw-r--r--. alichtman alichtman 562 B Thu Feb 20 02:12:33 2025 /home/alichtman/.cache/spotify-backup/.auth_cache
If this issue is combined with another misconfiguration, like having o+r permissions set on your home directory, an attacker will be able to read this file and steal this auth token.
Good defense in depth would be to restrict read permissions on this cache file that contains an auth token
Impact
Potential exposure of Spotify auth token to other users with access to the machine. A worst case scenario is if the token is granted all permissions, and can be used to do any of:
- exfiltrate spotify likes / saved playlists
- delete your content
- modify your content w/o your permission
If someone were to discover an RCE in Spotify that you could trigger on a machine by having a song played (or song metadata parsed or something), this auth token could maybe be used to add a song to a playlist, or control playback (allowing further exploitation).
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "spotipy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.25.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27154"
],
"database_specific": {
"cwe_ids": [
"CWE-276"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-28T02:34:38Z",
"nvd_published_at": "2025-02-27T14:15:36Z",
"severity": "HIGH"
},
"details": "### Summary\n\nThe `CacheHandler` class creates a cache file to store the auth token here: https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98\n\nThe file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. I think `600` is a sensible default.\n\n\n\n### Details\n\nThis leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token.\n\n### PoC\n\nRun an application that uses spotipy with client creation like this:\n\n```python\nfrom pathlib import Path\nimport spotipy\nfrom os import getenv\n\ndef create_spotify_client(client_id: str, client_secret: str) -\u003e spotipy.Spotify:\n \"\"\"Create and return an authenticated Spotify client.\n\n Args:\n client_id: Spotify API client ID\n client_secret: Spotify API client secret\n\n Returns:\n An authenticated Spotify client instance\n \"\"\"\n cache_path = Path.home() / \".cache\" / \"spotify-backup/.auth_cache\"\n cache_path.parent.mkdir(parents=True, exist_ok=True)\n cache_handler = spotipy.cache_handler.CacheFileHandler(cache_path=str(cache_path))\n\n client = spotipy.Spotify(\n auth_manager=spotipy.oauth2.SpotifyOAuth(\n client_id=client_id,\n client_secret=client_secret,\n redirect_uri=\"http://localhost:8000/callback\",\n cache_handler=cache_handler,\n scope=[\n \"user-library-read\",\n \"playlist-read-private\",\n \"playlist-read-collaborative\",\n ],\n )\n )\n\n return client\n\ncreate_spotify_client()\n```\n\nAnd then check the file permissions on the cache file that was created with:\n\n```bash\n$ ls -la ~/.cache/spotify-backup/.auth_cache`\n.rw-r--r--. alichtman alichtman 562 B Thu Feb 20 02:12:33 2025 \uf016 /home/alichtman/.cache/spotify-backup/.auth_cache\n```\n\nIf this issue is combined with another misconfiguration, like having `o+r` permissions set on your home directory, an attacker will be able to read this file and steal this auth token.\n\nGood defense in depth would be to restrict read permissions on this cache file that contains an auth token\n\n### Impact\n\nPotential exposure of Spotify auth token to other users with access to the machine. A worst case scenario is if the token is granted all permissions, and can be used to do any of:\n\n- exfiltrate spotify likes / saved playlists\n- delete your content\n- modify your content w/o your permission\n\nIf someone were to discover an RCE in Spotify that you could trigger on a machine by having a song played (or song metadata parsed or something), this auth token could maybe be used to add a song to a playlist, or control playback (allowing further exploitation).",
"id": "GHSA-pwhh-q4h6-w599",
"modified": "2025-02-28T02:34:39Z",
"published": "2025-02-28T02:34:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27154"
},
{
"type": "WEB",
"url": "https://github.com/spotipy-dev/spotipy/commit/1ca453f6ef87a2a9e9876f52b6cb38d13532ccf2"
},
{
"type": "PACKAGE",
"url": "https://github.com/spotipy-dev/spotipy"
},
{
"type": "WEB",
"url": "https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98"
},
{
"type": "WEB",
"url": "https://github.com/spotipy-dev/spotipy/releases/tag/2.25.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Spotipy\u0027s cache file, containing spotify auth token, is created with overly broad permissions"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…