Source: spotipy Version: 2.25.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for spotipy. CVE-2025-27154[0]: | Spotipy is a lightweight Python library for the Spotify Web API. The | `CacheHandler` class creates a cache file to store the auth token. | Prior to version 2.25.1, the file created has `rw-r--r--` (644) | permissions by default, when it could be locked down to `rw-------` | (600) permissions. This leads to overly broad exposure of the | spotify auth token. If this token can be read by an attacker | (another user on the machine, or a process running as another user), | it can be used to perform administrative actions on the Spotify | account, depending on the scope granted to the token. Version 2.25.1 | tightens the cache file permissions. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-27154 https://www.cve.org/CVERecord?id=CVE-2025-27154 [1] https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599 [2] https://github.com/spotipy-dev/spotipy/commit/1ca453f6ef87a2a9e9876f52b6cb38d13532ccf2 Rgards, Salvatore
