Excessive File Permissions in Spotipy Python Library Leads to Token Exposure
CVE-2025-27154

8.4HIGH

Key Information:

Vendor: Spotipy-dev
Status: Spotipy
Vendor: CVE Published:; 27 February 2025

🔔 Create Spotipy-dev Vulnerability Alert

What is CVE-2025-27154?

CVE-2025-27154 is a security vulnerability found in the Spotipy Python library, which serves as a lightweight interface for the Spotify Web API. This vulnerability arises from excessive file permissions applied to the cache file that stores authentication tokens. Before version 2.25.1, the permissions for this cache file allowed for potentially unauthorized access to these tokens. A successful exploitation can severely impact an organization by enabling malicious actors to gain administrative privileges to a Spotify account, depending on the permissions attached to the exposed token.

Technical Details

The vulnerability is rooted in the implementation of the CacheHandler class within the Spotipy library. The cache file generated to store the Spotify authentication token is created with default file permissions of rw-r--r-- (644). This permission setting allows any user on the same machine, or any other application running under a different user context, to read the file. An attacker who can access this token could perform actions on behalf of the Spotify account, leading to unauthorized control and potential misuse of the account.

Potential Impact of CVE-2025-27154

Unauthorized Account Access: Attackers could read the exposed authentication token, allowing them to log into the associated Spotify account and manipulate it, which could include actions like changing settings or purchasing subscriptions.
Data Leak Risks: The ability to access sensitive account information could lead to the disclosure of personal data, which poses privacy concerns for users and organizations relying on the integrity of this information.
Reputation Damage: If attackers exploit this vulnerability to misuse a Spotify account (for instance, by broadcasting inappropriate content), it could lead to reputational damage for organizations utilizing the Spotipy library in their applications, as well as a loss of trust among users.