CVE-2025-27154— Spotipy's cache file, containing spotify auth token, is created with overly broad permissions

Spotipy's cache file, containing spotify auth token, is created with overly broad permissions

Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions.

N/A

缺省权限不正确

Spotipy 安全漏洞

Spotipy是spotipy-dev个人开发者的用于 Spotify Web API 的轻量级 Python 库。 Spotipy 2.25.1之前版本存在安全漏洞，该漏洞源于CacheHandler类创建的缓存文件权限过于宽松，可能导致Spotify认证令牌泄露。

N/A

N/A