CVE-2025-66040: Spotipy has a XSS vulnerability in its OAuth callback server

December 1, 2025

XSS vulnerability in OAuth callback server allows JavaScript injection through unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user’s browser during OAuth authentication.

References

github.com/advisories/GHSA-r77h-rpp9-w2xm
github.com/spotipy-dev/spotipy
github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767
github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm
nvd.nist.gov/vuln/detail/CVE-2025-66040

Code Behaviors & Features

Detect and mitigate CVE-2025-66040 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →