Plattform
python
Komponente
spotipy
Behoben in
2.25.3
2.25.2
CVE-2025-66040 describes a cross-site scripting (XSS) vulnerability present in spotipy versions up to 2.9.0. This flaw allows attackers to inject malicious JavaScript code into a user's browser during the OAuth authentication process. The vulnerability stems from improper sanitization of the 'error' parameter within the OAuth callback server. A patch is available in version 2.25.2.
The primary impact of this XSS vulnerability is the potential for attackers to execute arbitrary JavaScript code within the context of a user's browser session. This could lead to various malicious actions, including session hijacking, credential theft, redirection to phishing sites, and defacement of the user interface. An attacker could leverage this vulnerability to gain unauthorized access to sensitive user data or compromise the user's account. The scope of the impact depends on the privileges associated with the affected user account and the sensitivity of the data accessed through the spotipy application.
This vulnerability was publicly disclosed on 2025-12-01. No known active exploitation campaigns have been reported at this time. There are currently no public proof-of-concept exploits available, but the vulnerability's nature makes it relatively easy to exploit. Its CVSS score of 3.6 (LOW) reflects the relatively limited impact and ease of mitigation.
Applications and services that rely on spotipy for OAuth authentication are at risk. This includes developers integrating spotipy into their projects and users who authenticate with applications using spotipy. Shared hosting environments where multiple applications share the same spotipy installation are particularly vulnerable.
• python / spotipy: Inspect OAuth callback handling code (spotipy/oauth2.py) for unsanitized error parameter usage.
• generic web: Monitor access logs for requests containing suspicious characters in the 'error' parameter of OAuth callback URLs.
• generic web: Use a WAF to block requests containing JavaScript code in the 'error' parameter of OAuth callback URLs.
grep -i 'error=.*<script>' /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2025-66040 is to immediately upgrade to spotipy version 2.25.2 or later. This version includes a fix that properly sanitizes the 'error' parameter, preventing the XSS vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious characters from the 'error' parameter in OAuth callbacks. Additionally, carefully review and sanitize any user-supplied input used in HTML generation to prevent similar vulnerabilities. After upgrading, confirm the fix by attempting to trigger the OAuth flow with a crafted 'error' parameter containing JavaScript code; it should be properly escaped and not executed.
Aktualisieren Sie die Spotipy-Bibliothek auf Version 2.25.2 oder höher. Dies behebt die XSS-Schwachstelle im OAuth-Callback-Server. Sie können mit `pip install --upgrade spotipy` aktualisieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-66040 is a cross-site scripting (XSS) vulnerability in spotipy versions up to 2.9.0, allowing attackers to inject JavaScript during OAuth authentication.
If you are using spotipy version 2.9.0 or earlier, you are potentially affected by this vulnerability. Upgrade to 2.25.2 or later to mitigate the risk.
The recommended fix is to upgrade to spotipy version 2.25.2 or later. Consider WAF rules as a temporary workaround if upgrading is not immediately possible.
No active exploitation campaigns have been reported, but the vulnerability is relatively easy to exploit and could be targeted in the future.
Refer to the spotipy project's official release notes and security advisories for details on this vulnerability and the corresponding fix.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.