CVE-2025-66040
Publication date 27 November 2025
Last updated 28 November 2025
Ubuntu priority
Description
Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication. This issue has been patched in version 2.25.2.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| spotipy | 25.10 questing |
Needs evaluation
|
| 25.04 plucky |
Needs evaluation
|
|
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
3.6 · Low
|
| Attack vector | Local |
| Attack complexity | High |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N |
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2025-66040
- https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm
- https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767 (2.25.2)
- https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767