Bug 2348724 (CVE-2025-27154)

Summary: CVE-2025-27154 spotipy: Spotipy's cache file, containing spotify auth token, is created with overly broad permissions
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: wfp5p
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Spotipy's CacheHandler class. This vulnerability allows unauthorized access to the Spotify authentication token via overly permissive cache file permissions. An attacker with access to the machine can read the token and potentially perform administrative actions on the associated Spotify account.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2348879, 2348881    
Bug Blocks:    

Description OSIDB Bzimport 2025-02-27 14:01:07 UTC 
Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions.
Comment 2 Bill Pemberton 2025-02-27 21:33:22 UTC 
This is fixed by version 2.25.1

See https://bugzilla.redhat.com/show_bug.cgi?id=2348684