CVE-2025-27154 Overview
CVE-2025-27154 is a high-severity insecure permissions vulnerability in Spotipy, a lightweight Python library for the Spotify Web API. The CacheHandler class creates a cache file to store authentication tokens with overly permissive file permissions (rw-r--r-- / 644) instead of the more restrictive rw------- (600) permissions. This configuration flaw allows unauthorized users or processes on the same system to read sensitive Spotify authentication tokens, potentially enabling account takeover or unauthorized administrative actions.
Critical Impact
Local attackers can read Spotify authentication tokens from world-readable cache files, enabling unauthorized access to Spotify accounts with the same privileges granted to the original token scope.
Affected Products
- Spotipy versions prior to 2.25.1
- Applications using Spotipy's CacheHandler class for token storage
- Multi-user systems running Spotipy-based applications
Discovery Timeline
- 2025-02-27 - CVE-2025-27154 published to NVD
- 2025-04-07 - Last updated in NVD database
Technical Details for CVE-2025-27154
Vulnerability Analysis
This vulnerability is classified under CWE-276 (Incorrect Default Permissions). The flaw exists in the CacheHandler class within spotipy/cache_handler.py, specifically in the token caching mechanism. When the library writes authentication tokens to the cache file, it does not explicitly set restrictive file permissions, resulting in the default umask-derived permissions that typically allow world-read access.
The local attack vector means an attacker must have access to the same system where the vulnerable Spotipy installation is running. However, this is a common scenario in shared hosting environments, multi-user workstations, or containerized deployments where process isolation may be incomplete.
Root Cause
The root cause is the absence of explicit file permission restriction when creating the token cache file. The original implementation relied on the system's default umask to determine file permissions, which in most Unix-like systems results in 644 (rw-r--r--) permissions. This allows any user on the system to read the cached authentication token, which should be treated as sensitive credentials.
Attack Vector
The attack requires local access to the target system. An attacker with read access to the file system can locate and read the Spotipy cache file, typically stored in the user's home directory or application directory. Once the token is extracted, the attacker can use it to make API calls to Spotify with the same permissions granted to the original application, potentially including playlist modification, account information access, or playback control depending on the token's scope.
try:
with open(self.cache_path, "w", encoding='utf-8') as f:
f.write(json.dumps(token_info, cls=self.encoder_cls))
+ # https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-pwhh-q4h6-w599
+ os.chmod(self.cache_path, 0o600)
except OSError:
logger.warning(f"Couldn't write token to cache at: {self.cache_path}")
+ except FileNotFoundError:
+ logger.warning(f"Couldn't set permissions to cache file at: {self.cache_path}")
class MemoryCacheHandler(CacheHandler):
Source: GitHub Commit
The fix adds an explicit os.chmod() call to set file permissions to 0o600 (owner read/write only) immediately after writing the token to the cache file, preventing unauthorized access by other users on the system.
Detection Methods for CVE-2025-27154
Indicators of Compromise
- Cache files with permissions more permissive than 600 (e.g., .cache-* files in application directories)
- Unexpected access to Spotipy cache files by non-owner processes
- Anomalous Spotify API activity from tokens that should be restricted to specific applications
- File access audit logs showing reads of cache files by unauthorized users
Detection Strategies
- Audit file permissions on Spotipy cache files using ls -la or equivalent commands to identify world-readable token caches
- Implement file integrity monitoring (FIM) to detect unauthorized reads of sensitive cache files
- Monitor Spotify API access patterns for anomalous activity that may indicate stolen token usage
- Deploy endpoint detection solutions to alert on file permission misconfigurations
Monitoring Recommendations
- Enable file access auditing on directories where Spotipy applications store cache files
- Configure SIEM rules to alert on world-readable files containing authentication tokens
- Monitor for multiple API sessions using the same token from different IP addresses or user agents
- Implement regular security scans to identify insecure file permissions across development and production environments
How to Mitigate CVE-2025-27154
Immediate Actions Required
- Upgrade Spotipy to version 2.25.1 or later immediately
- Manually correct permissions on existing cache files using chmod 600 on all .cache-* files
- Rotate any Spotify API tokens that may have been exposed on multi-user systems
- Review application deployments to identify all instances using vulnerable Spotipy versions
Patch Information
The vulnerability has been fixed in Spotipy version 2.25.1. The patch adds explicit os.chmod(self.cache_path, 0o600) call after writing the token cache file to ensure proper file permissions regardless of the system umask. Users should upgrade using pip install --upgrade spotipy>=2.25.1. For detailed patch information, see the GitHub Security Advisory and the release notes for version 2.25.1.
Workarounds
- Manually set restrictive permissions on cache files after each token refresh
- Use the MemoryCacheHandler instead of file-based caching to avoid writing tokens to disk entirely
- Deploy applications in isolated environments where file system access is restricted to a single user
- Implement a custom CacheHandler subclass that enforces proper file permissions
# Fix permissions on existing cache files
find /path/to/app -name ".cache-*" -exec chmod 600 {} \;
# Verify permissions are correctly set
ls -la /path/to/app/.cache-*
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
