Summary: Spotipy, a popular Python library for the Spotify Web API, has fixed a security vulnerability (CVE-2025-27154) that allowed unauthorized access to users’ authentication tokens due to overly permissive file permissions. The risk could lead to serious consequences, such as unauthorized access or modification of user content. Users are urged to update to version 2.25.1 or later to ensure their accounts are secure.
Affected: Spotipy users
Keypoints :
- Vulnerability CVE-2025-27154 had a CVSSv4 score of 8.4 due to cache file permission issues.
- Default cache file permissions were changed from 644 to 600 in version 2.25.1.
- Users should follow security best practices to protect their accounts, including strong passwords and multi-factor authentication.
Source: https://securityonline.info/cve-2025-27154-spotipy-vulnerability-exposes-spotify-auth-tokens/