CVE-2025-27154: Spotipy's cache file, containing spotify auth token, is created with overly broad permissions
The CacheHandler class creates a cache file to store the auth token here: https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py#L93-L98
The file created has rw-r--r-- (644) permissions by default, when it could be locked down to rw------- (600) permissions. I think 600 is a sensible default.
References
- github.com/advisories/GHSA-pwhh-q4h6-w599
- github.com/spotipy-dev/spotipy
- github.com/spotipy-dev/spotipy/blob/master/spotipy/cache_handler.py
- github.com/spotipy-dev/spotipy/commit/1ca453f6ef87a2a9e9876f52b6cb38d13532ccf2
- github.com/spotipy-dev/spotipy/releases/tag/2.25.1
- github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599
- nvd.nist.gov/vuln/detail/CVE-2025-27154
Code Behaviors & Features
Detect and mitigate CVE-2025-27154 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →