Spotipy has a XSS vulnerability in OAuth callback server

3.6 / 10

LOW

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Description

Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication. This issue has been patched in version 2.25.2.

Basic Information

ID CVE-2025-66040

Source GitHub_M

Published Nov 26, 2025 at 23:14

Affected Product

Vendor spotipy-dev

Product spotipy

Version < 2.25.2

Affected Versions spotipy-dev spotipy < 2.25.2

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication. This issue has been patched in version 2.25.2.",
    "published": "2025-11-26T23:14:44.795Z",
    "modified": "2025-11-26T23:14:44.795Z",
    "type": "cve",
    "title": "Spotipy has a XSS vulnerability in OAuth callback server",
    "source": "GitHub_M",
    "references": "https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm\nhttps://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767",
    "id": "CVE-2025-66040",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "spotipy-dev spotipy < 2.25.2",
    "sourceHref": "",
    "cvss": {
        "score": 3.6,
        "severity": "LOW",
        "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "spotipy",
    "version": "< 2.25.2",
    "vendor": "spotipy-dev",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Spotipy has a XSS vulnerability in OAuth callback server_CVE-2025-66040