spotipy

PyPI3 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting spotipypage 1 of 1

CVE-2023-23608NONECVSS 0.0EG 0.0✓ Fixed in 2.22.1
2023-01-26
vulnerable: 0.1 ... 2.9.0 (46 versions)
Spotipy is a light weight Python library for the Spotify Web API. In versions prior to 2.22.1, if a malicious URI is passed to the library, the library can be tricked into performing an operation on a different API endpoint than intended. …
CVE-2025-27154CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.25.1
2025-02-27
vulnerable: 0.1 ... 2.9.0 (50 versions)
Spotipy is a lightweight Python library for the Spotify Web API. The `CacheHandler` class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has `rw-r--r--` (644) permissions by default, when it could b…
CVE-2025-66040LOWCVSS 3.6EG 3.6✓ Fixed in 2.25.2
2025-11-27
vulnerable: 0.1 ... 2.9.0 (51 versions)
Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. At…

Check whether spotipy is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for spotipy CVEs against the assets you own.

Start Free Scan →