Home > Vulnerability Database > CVE-2025-66040

Mend.io Vulnerability Database

CVE-2025-66040

Good to know:

Date: November 26, 2025

Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication. This issue has been patched in version 2.25.2.

Severity Score

3.6

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-66040

Url: https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767

Url: https://github.com/spotipy-dev/spotipy

Url: https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm

Url: https://www.mend.io/vulnerability-database/CVE-2025-66040

Severity Score

3.6

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version spotipy - 2.25.2;spotipy - 2.25.2;spotipy - 2.25.2;https://github.com/spotipy-dev/spotipy.git - 2.25.2

Learn More

CVSS v3.1

Base Score:	3.6
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-66040

Good to know:

Date: November 26, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?