How to fix CVE-2025-27154?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Vendor patch is available.

Is Python affected by CVE-2025-27154?

Organizations using Spotipy face notable risk from CVE-2025-27154, a incorrect default permissions vulnerability rated CVSS 8.4. Attackers could escalate their privileges to gain elevated access beyond their authorized level.

CVE-2025-27154

HIGH

2025-02-27 [email protected]

8.4

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:28 vuln.today

Patch Released

Mar 28, 2026 - 18:28 nvd

Patch available

PoC Detected

Apr 07, 2025 - 18:24 vuln.today

Public exploit code

CVE Published

Feb 27, 2025 - 14:15 nvd

HIGH 8.4

Description

Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions.

Analysis

Spotipy is a lightweight Python library for the Spotify Web API. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. Public exploit code available.

Technical Context

This vulnerability is classified as Incorrect Default Permissions (CWE-276), which allows attackers to access resources due to overly permissive default settings. Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could be locked down to `rw-------` (600) permissions. This leads to overly broad exposure of the spotify auth token. If this token can be read by an attacker (another user on the machine, or a process running as another user), it can be used to perform administrative actions on the Spotify account, depending on the scope granted to the token. Version 2.25.1 tightens the cache file permissions. Affected products include: Spotipy Project Spotipy. Version information: version 2.25.1.

Affected Products

Spotipy Project Spotipy.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Set restrictive default permissions, follow principle of least privilege, review defaults during deployment.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +42

POC: +20

Vendor Status

CVE-2025-27154 vulnerability details – vuln.today

Back

CVE-2025-27154

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-27154

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code