CVE-2025-27154
Published: 27 February 2025
Summary
CVE-2025-27154 is a critical-severity Incorrect Default Permissions (CWE-276) vulnerability in Spotipy Project Spotipy. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 46.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-28 (Protection of Information at Rest).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates secure and restrictive configuration settings for file permissions, directly addressing the overly permissive default rw-r--r-- (644) on the Spotipy cache file containing auth tokens.
Requires protection of sensitive information at rest, such as Spotify auth tokens in cache files, using restrictive access controls like rw------- (600) permissions to prevent unauthorized local reads.
Ensures timely identification, reporting, and remediation of flaws like CVE-2025-27154 by upgrading Spotipy to version 2.25.1, which implements the secure permission fix.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability creates cache file with weak 644 permissions containing auth tokens, directly enabling local access to credentials stored in files by software.
NVD Description
Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be…
more
locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions.
Deeper analysisAI
CVE-2025-27154 is a vulnerability in Spotipy, a lightweight Python library for interacting with the Spotify Web API. The issue affects the CacheHandler class, which creates a cache file to store Spotify authentication tokens. In versions prior to 2.25.1, this file is created with overly permissive rw-r--r-- (644) permissions by default, rather than the more secure rw------- (600) permissions. This misconfiguration, classified under CWE-276 (Incorrect Default Permissions), exposes the authentication token to unauthorized access and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An attacker with local access to the system—such as another user on the same machine or a process running under a different user—can read the cache file containing the Spotify auth token. Once obtained, the token can be exploited remotely to perform administrative actions on the victim's Spotify account, depending on the scopes granted during authentication. The high CVSS score reflects the potential for network-based impact through token misuse, despite the local prerequisite for file access.
The Spotipy security advisory (GHSA-pwhh-q4h6-w599) and release notes recommend upgrading to version 2.25.1, which patches the issue by tightening cache file permissions to rw------- (600). The fix is implemented in commit 1ca453f6ef87a2a9e9876f52b6cb38d13532ccf2, visible in the updated cache_handler.py code. Practitioners should audit systems using vulnerable Spotipy versions and ensure proper file permissions on existing cache files.
Details
- CWE(s)