2348724 – (CVE-2025-27154) CVE-2025-27154 spotipy: Spotipy's cache file, containing spotify auth token, is created with overly broad permissions

Bug 2348724 (CVE-2025-27154) - CVE-2025-27154 spotipy: Spotipy's cache file, containing spotify auth token, is created with overly broad permissions

Summary: CVE-2025-27154 spotipy: Spotipy's cache file, containing spotify auth token, ...

Keywords:
Status:	NEW
Alias:	CVE-2025-27154
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2348879 2348881
Blocks:
TreeView+	depends on / blocked

Reported:	2025-02-27 14:01 UTC by OSIDB Bzimport
Modified:	2025-02-27 21:33 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-02-27 14:01:07 UTC

Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions.

Comment 2 Bill Pemberton 2025-02-27 21:33:22 UTC

This is fixed by version 2.25.1

See https://bugzilla.redhat.com/show_bug.cgi?id=2348684

Note You need to log in before you can comment on or make changes to this bug.