Incorrect Default Permissions Affecting spotipy package, versions [,2.25.1)

spotipy is an A light weight Python library for the Spotify Web API

Affected versions of this package are vulnerable to Incorrect Default Permissions via the CacheHandler class. An attacker can gain unauthorized access to administrative actions on the Spotify account by reading the spotify auth token exposed in the file created by the CacheHandler class with the rw-r--r-- (644) default permissions.

Run an application that uses spotipy with client creation like this:

from pathlib import Path
import spotipy
from os import getenv

def create_spotify_client(client_id: str, client_secret: str) -> spotipy.Spotify:
    """Create and return an authenticated Spotify client.
Args:
    client_id: Spotify API client ID
    client_secret: Spotify API client secret

Returns:
    An authenticated Spotify client instance
"""
cache_path = Path.home() / ".cache" / "spotify-backup/.auth_cache"
cache_path.parent.mkdir(parents=True, exist_ok=True)
cache_handler = spotipy.cache_handler.CacheFileHandler(cache_path=str(cache_path))

client = spotipy.Spotify(
    auth_manager=spotipy.oauth2.SpotifyOAuth(
        client_id=client_id,
        client_secret=client_secret,
        redirect_uri="http://localhost:8000/callback",
        cache_handler=cache_handler,
        scope=[
            "user-library-read",
            "playlist-read-private",
            "playlist-read-collaborative",
        ],
    )
)

return client

create_spotify_client()

And then check the file permissions on the cache file that was created with:

$ ls -la ~/.cache/spotify-backup/.auth_cache`
.rw-r--r--. alichtman alichtman 562 B Thu Feb 20 02:12:33 2025  /home/alichtman/.cache/spotify-backup/.auth_cache

If this issue is combined with another misconfiguration, like having o+r permissions set on your home directory, an attacker will be able to read this file and steal this auth token.

• GitHub Commit
• GitHub Release
• Vulnerable Code