Home Spotipy CVE-2025-47928
Back to Spotipy

CVE-2025-47928

Spotipy - Python Library for Spotify Web API

Spotipy CVSS 9.1 Updated April 6, 2026

Executive Risk Summary

"A vulnerability in the Spotipy Python library allows attackers to execute untrusted code with access to secrets, including the GITHUB_TOKEN, which can be used to completely overtake the repository. This vulnerability can be exploited by using the `pull_request_target` on `.github/workflows/integration_tests.yml` followed by checking out the head.sha of a forked PR."

Anticipated Attack Path

  1. 1. Exploitation of `pull_request_target` on `.github/workflows/integration_tests.yml`
  2. 2. Checking out the head.sha of a forked PR
  3. 3. Execution of untrusted code with access to secrets

Am I Vulnerable?

  • Verify if the `pull_request_target` is used in the GitHub Actions workflow
  • Check if the repository has secrets, such as GITHUB_TOKEN, SPOTIPY_CLIENT_ID, and SPOTIPY_CLIENT_SECRET
  • Review the commit history to ensure that the vulnerable commit is not present

Operational Audit Arsenal

Target Type GitHub Actions workflow file
Target Asset .github/workflows/integration_tests.yml
Standard Path Repository root

Manual Verification Required

This is a non-Windows asset (Spotipy). Use the target asset details and official path provided above to verify your current version against the official vendor advisories listed below.

Patch Impact Forecast

Reboot Required Unlikely

Low to Moderate

Internal Work Notes

Vulnerability in Spotipy Python library allows execution of untrusted code with access to secrets, including GITHUB_TOKEN. Apply commit 9dfb7177b8d7bb98a5a6014f8e6436812a47576 to mitigate the issue.

Technical Intelligence & Operational Utilities • Delivered Weekly

Intelligence Sources

Official Advisoryhttps://github.com/spotipy-dev/spotipy/commit/4f5759dbfb4506c7b6280572a4db1aabc1ac778d
Official Advisoryhttps://github.com/spotipy-dev/spotipy/commit/9dfb7177b8d7bb98a5a6014f8e6436812a47576f
Official Advisoryhttps://github.com/spotipy-dev/spotipy/security/advisories/GHSA-h25v-8c87-rvm8
Data compiled from NVD, MSRC, and CISA KEV Catalog. Intelligence synthesized via AI. Scripts provided for diagnostic purposes under MIT License.