Platform
python
Component
spotipy
Fixed in
2.25.3
2.25.2
CVE-2025-66040 describes a cross-site scripting (XSS) vulnerability present in spotipy versions up to 2.9.0. This flaw allows attackers to inject malicious JavaScript code into a user's browser during the OAuth authentication process. The vulnerability stems from improper sanitization of the 'error' parameter within the OAuth callback server. A patch is available in version 2.25.2.
The primary impact of this XSS vulnerability is the potential for attackers to execute arbitrary JavaScript code within the context of a user's browser session. This could lead to various malicious actions, including session hijacking, credential theft, redirection to phishing sites, and defacement of the user interface. An attacker could leverage this vulnerability to gain unauthorized access to sensitive user data or compromise the user's account. The scope of the impact depends on the privileges associated with the affected user account and the sensitivity of the data accessed through the spotipy application.
This vulnerability was publicly disclosed on 2025-12-01. No known active exploitation campaigns have been reported at this time. There are currently no public proof-of-concept exploits available, but the vulnerability's nature makes it relatively easy to exploit. Its CVSS score of 3.6 (LOW) reflects the relatively limited impact and ease of mitigation.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2025-66040 is to immediately upgrade to spotipy version 2.25.2 or later. This version includes a fix that properly sanitizes the 'error' parameter, preventing the XSS vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious characters from the 'error' parameter in OAuth callbacks. Additionally, carefully review and sanitize any user-supplied input used in HTML generation to prevent similar vulnerabilities. After upgrading, confirm the fix by attempting to trigger the OAuth flow with a crafted 'error' parameter containing JavaScript code; it should be properly escaped and not executed.
Update the Spotipy library to version 2.25.2 or higher. This will fix the XSS vulnerability in the OAuth callback server. You can update using `pip install --upgrade spotipy`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-66040 is a cross-site scripting (XSS) vulnerability in spotipy versions up to 2.9.0, allowing attackers to inject JavaScript during OAuth authentication.
If you are using spotipy version 2.9.0 or earlier, you are potentially affected by this vulnerability. Upgrade to 2.25.2 or later to mitigate the risk.
The recommended fix is to upgrade to spotipy version 2.25.2 or later. Consider WAF rules as a temporary workaround if upgrading is not immediately possible.
No active exploitation campaigns have been reported, but the vulnerability is relatively easy to exploit and could be targeted in the future.
Refer to the spotipy project's official release notes and security advisories for details on this vulnerability and the corresponding fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.