Python Library Vulnerability in Spotipy - GitHub Action Exploit Risk
CVE-2025-47928

9.1CRITICAL

Key Information:

Vendor

Spotipy-dev

Status
Spotipy
Vendor
CVE Published:
15 May 2025

What is CVE-2025-47928?

The Spotipy library's integration with GitHub Actions has been compromised, allowing attackers to execute untrusted code in the context of the base repository. This vulnerability arises from the use of pull_request_target in the integration tests workflow and can lead to the exfiltration of sensitive secrets, including the GITHUB_TOKEN, SPOTIPY_CLIENT_ID, and SPOTIPY_CLIENT_SECRET. Exploitation may enable attackers to gain write access to the repository. Mitigations were introduced in commit 9dfb7177b8d7bb98a5a6014f8e6436812a47576f, which addressed the security lapses present in earlier commits.

Affected Version(s)

spotipy = 4f5759dbfb4506c7b6280572a4db1aabc1ac778d

References

https://github.com/spotipy-dev/spotipy/security/advisorie...
x_refsource_CONFIRM
https://github.com/spotipy-dev/spotipy/commit/4f5759dbfb4...
x_refsource_MISC
https://github.com/spotipy-dev/spotipy/commit/9dfb7177b8d...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.