CVE-2025-27154

CVE-2025-27154 is a vulnerability in Spotipy, a lightweight Python library for interacting with the Spotify Web API. The issue affects the CacheHandler class, which creates a cache file to store Spotify authentication tokens. In versions prior to 2.25.1, this file is created with overly permissive rw-r--r-- (644) permissions by default, rather than the more secure rw------- (600) permissions. This misconfiguration, classified under CWE-276 (Incorrect Default Permissions), exposes the authentication token to unauthorized access and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An attacker with local access to the system—such as another user on the same machine or a process running under a different user—can read the cache file containing the Spotify auth token. Once obtained, the token can be exploited remotely to perform administrative actions on the victim's Spotify account, depending on the scopes granted during authentication. The high CVSS score reflects the potential for network-based impact through token misuse, despite the local prerequisite for file access.

The Spotipy security advisory (GHSA-pwhh-q4h6-w599) and release notes recommend upgrading to version 2.25.1, which patches the issue by tightening cache file permissions to rw------- (600). The fix is implemented in commit 1ca453f6ef87a2a9e9876f52b6cb38d13532ccf2, visible in the updated cache_handler.py code. Practitioners should audit systems using vulnerable Spotipy versions and ensure proper file permissions on existing cache files.