CVE-2025-66040 (GCVE-0-2025-66040)

Vulnerability from cvelistv5

Published

2025-11-26 23:14

Modified

2025-11-28 15:25

Severity ?

3.6 (Low) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication. This issue has been patched in version 2.25.2.

References

URL

Tags

	security-advisories@github.com	https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767
	security-advisories@github.com	https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm

Impacted products

	Vendor	Product	Version
	spotipy-dev	spotipy	Version: < 2.25.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-66040",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-28T15:25:12.176179Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-28T15:25:40.139Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "spotipy",
          "vendor": "spotipy-dev",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.25.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user\u0027s browser during OAuth authentication. This issue has been patched in version 2.25.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 3.6,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-26T23:14:44.795Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm"
        },
        {
          "name": "https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767"
        }
      ],
      "source": {
        "advisory": "GHSA-r77h-rpp9-w2xm",
        "discovery": "UNKNOWN"
      },
      "title": "Spotipy has a XSS vulnerability in OAuth callback server"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-66040",
    "datePublished": "2025-11-26T23:14:44.795Z",
    "dateReserved": "2025-11-21T01:08:02.615Z",
    "dateUpdated": "2025-11-28T15:25:40.139Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-66040\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-11-27T00:15:55.343\",\"lastModified\":\"2025-12-01T15:39:33.110\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user\u0027s browser during OAuth authentication. This issue has been patched in version 2.25.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N\",\"baseScore\":3.6,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.0,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-66040\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-28T15:25:12.176179Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-28T15:25:26.909Z\"}}], \"cna\": {\"title\": \"Spotipy has a XSS vulnerability in OAuth callback server\", \"source\": {\"advisory\": \"GHSA-r77h-rpp9-w2xm\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.6, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"spotipy-dev\", \"product\": \"spotipy\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.25.2\"}]}], \"references\": [{\"url\": \"https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm\", \"name\": \"https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767\", \"name\": \"https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user\u0027s browser during OAuth authentication. This issue has been patched in version 2.25.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-11-26T23:14:44.795Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-66040\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-28T15:25:40.139Z\", \"dateReserved\": \"2025-11-21T01:08:02.615Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-11-26T23:14:44.795Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

ghsa-r77h-rpp9-w2xm

Vulnerability from github

Published

2025-12-01 19:07

Modified

2025-12-01 19:07

Severity ?

3.6 (Low) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Summary

Spotipy has a XSS vulnerability in its OAuth callback server

Details

Summary

XSS vulnerability in OAuth callback server allows JavaScript injection through unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication.

Details

Vulnerable Code: spotipy/oauth2.py lines 1238-1274 (RequestHandler.do_GET)

The Problem: During OAuth flow, spotipy starts a local HTTP server to receive callbacks. The server reflects the error URL parameter directly into HTML without sanitization.

Vulnerable code at line 1255: python status = f"failed ({self.server.error})"

Then embedded in HTML at line 1265: ```python self._write(f"""

Authentication status: {status}

""") ```

The error parameter comes from URL parsing (lines 388-393) without HTML escaping, allowing script injection.

Attack Flow: 1. User starts OAuth authentication → local server runs on http://127.0.0.1:8080 2. Attacker crafts malicious URL: http://127.0.0.1:8080/?error=<script>alert(1)</script>&state=x 3. User visits URL → JavaScript executes in localhost origin

PoC

Simple Python Test: ```python

!/usr/bin/env python3

poc_xss.py - Demonstrates XSS in spotipy OAuth callback

import requests from spotipy.oauth2 import start_local_http_server import threading import time

Start vulnerable server in background

def start_server(): server = start_local_http_server(8080) server.handle_request()

thread = threading.Thread(target=start_server, daemon=True) thread.start() time.sleep(2)

Send XSS payload

payload = 'alert("XSS")' url = f'http://127.0.0.1:8080/?error={payload}&state=test'

response = requests.get(url) print(f"Status: {response.status_code}") print(f"\nHTML Response:\n{response.text}")

Check if vulnerable

if payload in response.text: print(f"\n[!] VULNERABLE: Payload '{payload}' reflected without escaping!") else: print("\n[+] Safe: Payload was sanitized") ```

Run it: bash pip install spotipy requests python3 poc_xss.py

Output shows: ``` Status: 200 HTML Response:

Authentication status: failed (alert("XSS"))

[!] VULNERABLE: Payload 'alert("XSS")' reflected without escaping! ```

The Proof: - Expected (safe): <script>alert("XSS")</script> - Actual (vulnerable): <script>alert("XSS")</script> - The script tags are NOT escaped → XSS confirmed

Impact

Vulnerability Type: Cross-Site Scripting (XSS) - CWE-79

Affected Users: Anyone using spotipy's OAuth flow with localhost redirect URIs

Attack Complexity: Medium-High - Requires timing (during brief OAuth window) - Localhost-only (127.0.0.1) - Requires user interaction (click malicious link)

Potential Impact: - Execute JavaScript in localhost origin - Access other localhost services (port scanning, API calls) - Steal data from local web applications - Extract OAuth tokens from browser storage - Bypass CSRF protections on localhost endpoints

CVSS 3.1 Score: 4.2 (Medium) - Attack Vector: Local - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Confidentiality/Integrity: Low

Recommended Fix: ```python import html

Line 1255 - apply HTML escaping

if self.server.error: status = f"failed ({html.escape(str(self.server.error))})" ```

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "spotipy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.25.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66040"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-01T19:07:26Z",
    "nvd_published_at": "2025-11-27T00:15:55Z",
    "severity": "LOW"
  },
  "details": "### Summary\nXSS vulnerability in OAuth callback server allows JavaScript injection through unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user\u0027s browser during OAuth authentication.\n\n\n### Details\n**Vulnerable Code:** `spotipy/oauth2.py` lines 1238-1274 (RequestHandler.do_GET)\n\n**The Problem:**\nDuring OAuth flow, spotipy starts a local HTTP server to receive callbacks. The server reflects the `error` URL parameter directly into HTML without sanitization.\n\n**Vulnerable code at line 1255:**\n```python\nstatus = f\"failed ({self.server.error})\"\n```\n\n**Then embedded in HTML at line 1265:**\n```python\nself._write(f\"\"\"\u003chtml\u003e\n\u003cbody\u003e\n\u003ch1\u003eAuthentication status: {status}\u003c/h1\u003e\n\u003c/body\u003e\n\u003c/html\u003e\"\"\")\n```\n\nThe `error` parameter comes from URL parsing (lines 388-393) without HTML escaping, allowing script injection.\n\n**Attack Flow:**\n1. User starts OAuth authentication \u2192 local server runs on `http://127.0.0.1:8080`\n2. Attacker crafts malicious URL: `http://127.0.0.1:8080/?error=\u003cscript\u003ealert(1)\u003c/script\u003e\u0026state=x`\n3. User visits URL \u2192 JavaScript executes in localhost origin\n\n\n### PoC\n\n**Simple Python Test:**\n```python\n#!/usr/bin/env python3\n# poc_xss.py - Demonstrates XSS in spotipy OAuth callback\n\nimport requests\nfrom spotipy.oauth2 import start_local_http_server\nimport threading\nimport time\n\n# Start vulnerable server in background\ndef start_server():\n    server = start_local_http_server(8080)\n    server.handle_request()\n\nthread = threading.Thread(target=start_server, daemon=True)\nthread.start()\ntime.sleep(2)\n\n# Send XSS payload\npayload = \u0027\u003cscript\u003ealert(\"XSS\")\u003c/script\u003e\u0027\nurl = f\u0027http://127.0.0.1:8080/?error={payload}\u0026state=test\u0027\n\nresponse = requests.get(url)\nprint(f\"Status: {response.status_code}\")\nprint(f\"\\nHTML Response:\\n{response.text}\")\n\n# Check if vulnerable\nif payload in response.text:\n    print(f\"\\n[!] VULNERABLE: Payload \u0027{payload}\u0027 reflected without escaping!\")\nelse:\n    print(\"\\n[+] Safe: Payload was sanitized\")\n```\n\n**Run it:**\n```bash\npip install spotipy requests\npython3 poc_xss.py\n```\n\n**Output shows:**\n```\nStatus: 200\nHTML Response:\n\u003chtml\u003e\n\u003cbody\u003e\n\u003ch1\u003eAuthentication status: failed (\u003cscript\u003ealert(\"XSS\")\u003c/script\u003e)\u003c/h1\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n\n[!] VULNERABLE: Payload \u0027\u003cscript\u003ealert(\"XSS\")\u003c/script\u003e\u0027 reflected without escaping!\n```\n\n**The Proof:**\n- Expected (safe): `\u0026lt;script\u0026gt;alert(\"XSS\")\u0026lt;/script\u0026gt;`\n- Actual (vulnerable): `\u003cscript\u003ealert(\"XSS\")\u003c/script\u003e`\n- The script tags are NOT escaped \u2192 XSS confirmed\n\n### Impact\n\n**Vulnerability Type:** Cross-Site Scripting (XSS) - CWE-79\n\n**Affected Users:** Anyone using spotipy\u0027s OAuth flow with localhost redirect URIs\n\n**Attack Complexity:** Medium-High\n- Requires timing (during brief OAuth window)\n- Localhost-only (127.0.0.1)\n- Requires user interaction (click malicious link)\n\n**Potential Impact:**\n- Execute JavaScript in localhost origin\n- Access other localhost services (port scanning, API calls)\n- Steal data from local web applications\n- Extract OAuth tokens from browser storage\n- Bypass CSRF protections on localhost endpoints\n\n**CVSS 3.1 Score:** 4.2 (Medium)\n- Attack Vector: Local\n- Attack Complexity: High\n- Privileges Required: None\n- User Interaction: Required\n- Scope: Unchanged\n- Confidentiality/Integrity: Low\n\n\n**Recommended Fix:**\n```python\nimport html\n\n# Line 1255 - apply HTML escaping\nif self.server.error:\n    status = f\"failed ({html.escape(str(self.server.error))})\"\n```",
  "id": "GHSA-r77h-rpp9-w2xm",
  "modified": "2025-12-01T19:07:26Z",
  "published": "2025-12-01T19:07:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66040"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/spotipy-dev/spotipy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Spotipy has a XSS vulnerability in its OAuth callback server"
}

fkie_cve-2025-66040

Vulnerability from fkie_nvd

Published

2025-11-27 00:15

Modified

2025-12-01 15:39

Severity ?

3.6 (Low) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767
	security-advisories@github.com	https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user\u0027s browser during OAuth authentication. This issue has been patched in version 2.25.2."
    }
  ],
  "id": "CVE-2025-66040",
  "lastModified": "2025-12-01T15:39:33.110",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 3.6,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-11-27T00:15:55.343",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

opensuse-su-2025:15777-1

Vulnerability from csaf_opensuse

Published

2025-11-27 00:00

Modified

2025-11-27 00:00

Summary

python311-spotipy-2.25.2-1.1 on GA media

Notes

Title of the patch

python311-spotipy-2.25.2-1.1 on GA media

Description of the patch

These are all security issues fixed in the python311-spotipy-2.25.2-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2025-15777

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "python311-spotipy-2.25.2-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the python311-spotipy-2.25.2-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-15777",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15777-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-66040 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-66040/"
      }
    ],
    "title": "python311-spotipy-2.25.2-1.1 on GA media",
    "tracking": {
      "current_release_date": "2025-11-27T00:00:00Z",
      "generator": {
        "date": "2025-11-27T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:15777-1",
      "initial_release_date": "2025-11-27T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-11-27T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-spotipy-2.25.2-1.1.aarch64",
                "product": {
                  "name": "python311-spotipy-2.25.2-1.1.aarch64",
                  "product_id": "python311-spotipy-2.25.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-spotipy-2.25.2-1.1.aarch64",
                "product": {
                  "name": "python312-spotipy-2.25.2-1.1.aarch64",
                  "product_id": "python312-spotipy-2.25.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-spotipy-2.25.2-1.1.aarch64",
                "product": {
                  "name": "python313-spotipy-2.25.2-1.1.aarch64",
                  "product_id": "python313-spotipy-2.25.2-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-spotipy-2.25.2-1.1.ppc64le",
                "product": {
                  "name": "python311-spotipy-2.25.2-1.1.ppc64le",
                  "product_id": "python311-spotipy-2.25.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python312-spotipy-2.25.2-1.1.ppc64le",
                "product": {
                  "name": "python312-spotipy-2.25.2-1.1.ppc64le",
                  "product_id": "python312-spotipy-2.25.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python313-spotipy-2.25.2-1.1.ppc64le",
                "product": {
                  "name": "python313-spotipy-2.25.2-1.1.ppc64le",
                  "product_id": "python313-spotipy-2.25.2-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-spotipy-2.25.2-1.1.s390x",
                "product": {
                  "name": "python311-spotipy-2.25.2-1.1.s390x",
                  "product_id": "python311-spotipy-2.25.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python312-spotipy-2.25.2-1.1.s390x",
                "product": {
                  "name": "python312-spotipy-2.25.2-1.1.s390x",
                  "product_id": "python312-spotipy-2.25.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python313-spotipy-2.25.2-1.1.s390x",
                "product": {
                  "name": "python313-spotipy-2.25.2-1.1.s390x",
                  "product_id": "python313-spotipy-2.25.2-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-spotipy-2.25.2-1.1.x86_64",
                "product": {
                  "name": "python311-spotipy-2.25.2-1.1.x86_64",
                  "product_id": "python311-spotipy-2.25.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-spotipy-2.25.2-1.1.x86_64",
                "product": {
                  "name": "python312-spotipy-2.25.2-1.1.x86_64",
                  "product_id": "python312-spotipy-2.25.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-spotipy-2.25.2-1.1.x86_64",
                "product": {
                  "name": "python313-spotipy-2.25.2-1.1.x86_64",
                  "product_id": "python313-spotipy-2.25.2-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-spotipy-2.25.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-spotipy-2.25.2-1.1.aarch64"
        },
        "product_reference": "python311-spotipy-2.25.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-spotipy-2.25.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-spotipy-2.25.2-1.1.ppc64le"
        },
        "product_reference": "python311-spotipy-2.25.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-spotipy-2.25.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-spotipy-2.25.2-1.1.s390x"
        },
        "product_reference": "python311-spotipy-2.25.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-spotipy-2.25.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-spotipy-2.25.2-1.1.x86_64"
        },
        "product_reference": "python311-spotipy-2.25.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-spotipy-2.25.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-spotipy-2.25.2-1.1.aarch64"
        },
        "product_reference": "python312-spotipy-2.25.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-spotipy-2.25.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-spotipy-2.25.2-1.1.ppc64le"
        },
        "product_reference": "python312-spotipy-2.25.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-spotipy-2.25.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-spotipy-2.25.2-1.1.s390x"
        },
        "product_reference": "python312-spotipy-2.25.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-spotipy-2.25.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-spotipy-2.25.2-1.1.x86_64"
        },
        "product_reference": "python312-spotipy-2.25.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-spotipy-2.25.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-spotipy-2.25.2-1.1.aarch64"
        },
        "product_reference": "python313-spotipy-2.25.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-spotipy-2.25.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-spotipy-2.25.2-1.1.ppc64le"
        },
        "product_reference": "python313-spotipy-2.25.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-spotipy-2.25.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-spotipy-2.25.2-1.1.s390x"
        },
        "product_reference": "python313-spotipy-2.25.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-spotipy-2.25.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-spotipy-2.25.2-1.1.x86_64"
        },
        "product_reference": "python313-spotipy-2.25.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-66040",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-66040"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user\u0027s browser during OAuth authentication. This issue has been patched in version 2.25.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-spotipy-2.25.2-1.1.aarch64",
          "openSUSE Tumbleweed:python311-spotipy-2.25.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-spotipy-2.25.2-1.1.s390x",
          "openSUSE Tumbleweed:python311-spotipy-2.25.2-1.1.x86_64",
          "openSUSE Tumbleweed:python312-spotipy-2.25.2-1.1.aarch64",
          "openSUSE Tumbleweed:python312-spotipy-2.25.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-spotipy-2.25.2-1.1.s390x",
          "openSUSE Tumbleweed:python312-spotipy-2.25.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-spotipy-2.25.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-spotipy-2.25.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-spotipy-2.25.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-spotipy-2.25.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-66040",
          "url": "https://www.suse.com/security/cve/CVE-2025-66040"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1254285 for CVE-2025-66040",
          "url": "https://bugzilla.suse.com/1254285"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-spotipy-2.25.2-1.1.aarch64",
            "openSUSE Tumbleweed:python311-spotipy-2.25.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-spotipy-2.25.2-1.1.s390x",
            "openSUSE Tumbleweed:python311-spotipy-2.25.2-1.1.x86_64",
            "openSUSE Tumbleweed:python312-spotipy-2.25.2-1.1.aarch64",
            "openSUSE Tumbleweed:python312-spotipy-2.25.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-spotipy-2.25.2-1.1.s390x",
            "openSUSE Tumbleweed:python312-spotipy-2.25.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-spotipy-2.25.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-spotipy-2.25.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-spotipy-2.25.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-spotipy-2.25.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-27T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2025-66040"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-66040 (GCVE-0-2025-66040)

Vulnerability from cvelistv5

ghsa-r77h-rpp9-w2xm

Vulnerability from github

Summary

Details

Authentication status: {status}

PoC

!/usr/bin/env python3

poc_xss.py - Demonstrates XSS in spotipy OAuth callback

Start vulnerable server in background

Send XSS payload

Check if vulnerable

Authentication status: failed (alert("XSS"))

Impact

Line 1255 - apply HTML escaping

fkie_cve-2025-66040

Vulnerability from fkie_nvd

opensuse-su-2025:15777-1

Vulnerability from csaf_opensuse

Tags

Sightings

Nomenclature