Date: 2024-06-10
Author: Security Insights Lab
Overview
A recent security flaw was discovered in the popular Python library, Spotipy, which lets developers access the Spotify Web API. The vulnerability, tracked as CVE-2025-27154, allows other local users or processes to read the Spotify authentication token stored in a cache file with insecure permissions. This could allow those users to hijack your Spotify session—potentially changing playlists, controlling playback, or even performing destructive actions.
This post dives deeply into what went wrong, how the exploit works, and how Spotipy fixed it in version 2.25.1. Let’s keep it simple and practical, so you stay protected.
What Is Spotipy?
Spotipy is a lightweight Python client for the Spotify Web API. It’s widely used in scripts and apps to automate music recommendations, playlist management, or playback control. To access Spotify’s API, an authentication token must be securely stored—usually cached on disk to avoid repeated logins.
Where: The CacheHandler Class
By default, Spotipy’s token cache is just a regular text file written by the CacheHandler class. Before version 2.25.1, the cache file permissions are set at rw-r--r-- (octal 644). This means:
Group and *all users* on the system can read.
That’s a problem because the token in that file can be used to control and access Spotify on your behalf.
Vulnerable code pattern:
with open(self.cache_path, "w") as f:
f.write(token_info_json)
# File created with default permissions (rw-r--r--)
With these permissions, anyone with access to your computer could potentially read your token and misuse it.
Why Does This Matter?
Spotify’s API token isn’t just a password—it grants different levels of access based on the “scope” chosen when logging in. For example, if you allowed broad permissions, someone with your token could:
Read your private playlists, followers, and even your email address
Depending on how you run Spotipy (shared server, university workstation, cloud environment), these tokens could leak to unintended users.
`bash
ls -l /home/alice/.cache/spotipy/
`bash
cat /home/alice/.cache/spotipy/.cache-fooey123
`json
{
...
}
`
That’s it! You can now impersonate *Alice* on Spotify until she notices and refreshes her token.
How Spotipy Fixed It
Starting from version 2.25.1, Spotipy addressed this issue by *locking down the permissions* of the cache file to rw------- (600) by default:
import os
with open(self.cache_path, "w") as f:
f.write(token_info_json)
os.chmod(self.cache_path, o600) # Now only the user can read/write
This means only the owner can read or modify the token file—no more snooping by others on the same machine.
pip install --upgrade spotipy
- Check your cache files:
Make sure your .cache files in ~/.cache/spotipy/ are not world-readable.
bash
chmod 600 ~/.cache/spotipy/.cache-* # Fix permissions manually
`
- Don’t share machines:
If you’re running scripts on shared servers or workstations, be aware of this risk.
- Rotate your tokens:
If you suspect your token was exposed, re-authenticate to get a fresh one.
---
## References
- Spotipy v2.25.1 Release Notes
- Spotipy: Python client for Spotify Web API
- Spotipy Pull Request (permission fix)
- CVE Record for CVE-2025-27154 (MITRE)
---
## Conclusion
CVE-2025-27154 is a textbook case of why file permissions matter for access tokens—even on your own laptop or script server. A small mistake could let others take complete control of your Spotify account. Make sure you upgrade Spotipy, fix your file permissions, and always keep sensitive data locked down!
Stay safe and keep your music yours.
---
Like this post? Share it and help secure the Python community!
Timeline
Published on: 02/27/2025 14:15:36 UTC
Last modified on: 04/07/2025 18:24:53 UTC