Aikido Intel
Secure My Code
Intel

AIKIDO-2025-10119

spotipy is vulnerable to Incorrect Default Permissions

Incorrect Default PermissionsCVE-2025-27154 Published Feb 27, 2025

84

High Risk

This Affects:

pythonspotipy
0.1 - 2.25.0
Fixed in 2.25.1
Are you affected? Scan for Free

TL;DR

Affected versions of this package set incorrect default permissions for the cache file created by the CacheHandler class to store the Spotify auth token. The file is created with rw-r--r-- (644) permissions instead of the more secure rw------- (600). This misconfiguration allows other users or processes on the machine to read the token, potentially exposing it to unauthorized access. If an attacker gains access to the token, they could use it to perform administrative actions on the associated Spotify account, depending on the granted scopes.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

spotipy is vulnerable to Incorrect Default Permissions in versions 0.1 - 2.25.0.

How to fix this

Upgrade the spotipy library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done