Spotipy, a popular Python library for interacting with the Spotify Web API, recently addressed a security vulnerability that could have exposed users’ authentication tokens. The vulnerability, identified as CVE-2025-27154 and assigned a CVSSv4 score of 8.4, stemmed from the way the library’s CacheHandler class created a cache file to store the Spotify auth token.
The cache file, which contained the user’s auth token, was being created with overly permissive access rights (644). This meant that other users or processes on the same machine could potentially read the file and gain unauthorized access to the Spotify account.
The impact of this vulnerability could range from unauthorized access to a user’s Spotify account to more severe consequences depending on the scope of permissions granted to the token. In a worst-case scenario, an attacker could:
- Access and exfiltrate a user’s Spotify likes and saved playlists.
- Delete a user’s Spotify content.
- Modify a user’s content without permission.
A simple proof-of-concept (PoC) demonstrates the security flaw.
The Spotipy team has addressed this vulnerability in version 2.25.1 by changing the default permissions of the cache file to 600, restricting access to the file’s owner.
Users of Spotipy are strongly encouraged to update to version 2.25.1 or later to mitigate this vulnerability. Additionally, users should follow security best practices, such as:
- Avoiding running applications as root or other privileged users unless absolutely necessary.
- Implementing strong passwords and enabling multi-factor authentication for their Spotify accounts.
- Regularly reviewing the permissions granted to third-party applications.
