- Description
- Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions.
- Source
- security-advisories@github.com
- NVD status
- Received
CVSS 4.0
- Type
- Secondary
- Base score
- 8.4
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
- security-advisories@github.com
- CWE-276
- Hype score
- Not currently trending
■#Python のライブラリ #Spotipy の脆弱性による認証トークン 漏洩の可能性 2025/3/4 Spotipyのキャッシュファイルが不適切なパーミッション(644)で作成され、Spotify認証トークンが他のユーザーに露出する脆弱性(CVE-2025-27154)が発見された2.25.1で修正されています https://t.co/dydgfIJ4WW
@hibino_news
5 Mar 2025
34 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Pythonのライブラリ Spotipy の脆弱性によるSpotify 認証トークン漏洩の可能性(CVE-2025-27154) #セキュリティ対策Lab #セキュリティ #Security https://t.co/fTaqC572Em
@securityLab_jp
4 Mar 2025
48 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Spotipy has addressed a serious vulnerability (CVE-2025-27154) affecting authentication tokens due to file permissions. Users should upgrade to version 2.25.1 or later for enhanced security. 🚨🔒 #Spotipy #DataPrivacy #USA link: https://t.co/sCIj9RnvjC https://t.co/enDdejxm0L
@TweetThreatNews
3 Mar 2025
51 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ Vulnerability Alert: Spotipy Vulnerability Exposes Spotify Auth Tokens 📅 Timeline: Disclosure: 2025-02-27, Patch: 2025-03-01 📌 Attribution: Reported by GitHub Security (credit to @alichtman) 🆔 CVE ID: CVE-2025-27154 📊 Base Score: 8.4 📏 CVSS Metrics:… https://t.c
@syedaquib77
3 Mar 2025
39 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-27154 Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the f… https://t.co/TTv720KuKs
@CVEnew
27 Feb 2025
70 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-27154: HIGH] Spotipy Python library fixed vulnerability in cache file permissions, preventing unauthorized access to Spotify tokens. Update to version 2.25.1 to enhance cyber security.#cybersecurity,#vulnerability https://t.co/djeyaPxEwY https://t.co/P1o06cJiHD
@CveFindCom
27 Feb 2025
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes