Source: spotipy Version: 2.25.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for spotipy. CVE-2025-66040[0]: | Spotipy is a Python library for the Spotify Web API. Prior to | version 2.25.2, there is a cross-site scripting (XSS) vulnerability | in the OAuth callback server that allows for JavaScript injection | through the unsanitized error parameter. Attackers can execute | arbitrary JavaScript in the user's browser during OAuth | authentication. This issue has been patched in version 2.25.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-66040 https://www.cve.org/CVERecord?id=CVE-2025-66040 [1] https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm [2] https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767 Regards, Salvatore
