CVE-2025-27154 – Spotipy versions before 2.25.1 create cache fil... (How to Fix)

Q: What is the severity of CVE-2025-27154?

CVE-2025-27154 has a CVSS score of 9.8 (CRITICAL). Spotipy versions before 2.25.1 create cache files with overly permissive 644 permissions, exposing Spotify authentication tokens to other users or processes on the same system. Attackers who can read these tokens can perform administrative actions on the associated Spotify accounts. This affects all users of vulnerable Spotipy versions on multi-user systems or shared environments.

📋 TL;DR

Spotipy versions before 2.25.1 create cache files with overly permissive 644 permissions, exposing Spotify authentication tokens to other users or processes on the same system. Attackers who can read these tokens can perform administrative actions on the associated Spotify accounts. This affects all users of vulnerable Spotipy versions on multi-user systems or shared environments.

💻 Affected Systems

Products:

spotipy

Versions: All versions before 2.25.1

Operating Systems: Linux, Unix-like systems, macOS, Windows (though file permission impact differs)

Default Config Vulnerable: ⚠️ Yes

Notes: Windows systems are less affected due to different permission models, but the vulnerability still exists. Multi-user Linux/Unix systems are most at risk.

📦 What is this software?

Spotipy by Spotipy Project

View all CVEs affecting Spotipy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full account takeover of Spotify accounts, allowing attackers to modify playlists, access private data, change account settings, or perform unauthorized actions based on token scopes.

🟠

Likely Case

Unauthorized access to Spotify account data and limited administrative actions by local users or processes on shared systems.

🟢

If Mitigated

No impact if proper file permissions are enforced or the system is single-user with no malicious local users.

🌐 Internet-Facing: LOW - This is a local file permission issue, not directly exploitable over the network.

🏢 Internal Only: HIGH - On multi-user systems, shared hosting, or containers, local attackers can easily read exposed tokens.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to read the cache file. Simple cat/read commands can extract tokens from improperly secured cache files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.25.1

Vendor Advisory: https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599

Restart Required: No

Instructions:

1. Update Spotipy using pip: 'pip install --upgrade spotipy>=2.25.1'. 2. Verify the new cache files are created with 600 permissions. 3. Manually secure existing cache files if needed.

🔧 Temporary Workarounds

Manual permission hardening

linux

Manually change permissions on existing Spotipy cache files to 600

chmod 600 ~/.cache/spotipy/*.cache
find ~/.cache/spotipy -name "*.cache" -exec chmod 600 {} \;

Custom CacheHandler implementation

all

Override CacheHandler to enforce strict permissions

Create custom class inheriting from CacheHandler with proper os.chmod() calls

🧯 If You Can't Patch

Manually set permissions on all Spotipy cache files to 600 and monitor for new files
Run Spotipy in isolated environments or containers with no other users

🔍 How to Verify

Check if Vulnerable:

Check Spotipy version: 'pip show spotipy' and verify it's <2.25.1. Check cache file permissions: 'ls -la ~/.cache/spotipy/*.cache' - files should not be world-readable.

Check Version:

pip show spotipy | grep Version

Verify Fix Applied:

After upgrade, create new cache file by authenticating, then verify permissions: 'ls -la ~/.cache/spotipy/*.cache' should show 600 permissions.

📡 Detection & Monitoring

Log Indicators:

Unusual Spotify API calls from unexpected locations
Multiple authentication events from same token

Network Indicators:

Spotify API requests from unexpected IPs or user agents

SIEM Query:

source="spotify_api" AND (user_agent!="expected_agent" OR src_ip NOT IN allowed_ips)

📊 Metadata

CVE ID: CVE-2025-27154

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-276

EPSS Score: 0.18% exploit probability (39.2th percentile)

Published: February 27, 2025

Last Updated: April 7, 2025

🔗 References

https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98 Product
https://github.com/spotipy-dev/spotipy/commit/1ca453f6ef87a2a9e9876f52b6cb38d13532ccf2 Patch
https://github.com/spotipy-dev/spotipy/releases/tag/2.25.1 Release Notes
https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599 Exploit,Vendor Advisory
https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27154, you might also want to check these: