Home > Vulnerability Database > CVE-2025-27154

Mend.io Vulnerability Database

CVE-2025-27154

Good to know:

Date: February 27, 2025

Spotipy is a lightweight Python library for the Spotify Web API. The "CacheHandler" class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has "rw-r--r--" (644) permissions by default, when it could be locked down to "rw-------" (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions.

Severity Score

9.8

Related Resources (8)

Url: https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98

Url: https://github.com/spotipy-dev/spotipy

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-27154

Url: https://github.com/spotipy-dev/spotipy/commit/1ca453f6ef87a2a9e9876f52b6cb38d13532ccf2

Url: https://security-tracker.debian.org/tracker/CVE-2025-27154

Url: https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599

Url: https://github.com/spotipy-dev/spotipy/releases/tag/2.25.1

Url: https://www.mend.io/vulnerability-database/CVE-2025-27154

Severity Score

9.8

Weakness Type (CWE)

Incorrect Default Permissions

CWE-276

Top Fix

Upgrade Version

Upgrade to version spotipy - 2.25.1

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-27154

Good to know:

Date: February 27, 2025

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?