Spotipy Cross-Site Scripting Vulnerability in OAuth Callback Server

A cross-site scripting (XSS) vulnerability has been identified in Spotipy, a Python library for the Spotify Web API, prior to version 2.25.2. The issue resides in the OAuth callback server, where the error parameter is not properly sanitized, allowing for JavaScript injection. This vulnerability enables attackers to execute arbitrary JavaScript in the user's browser during the OAuth authentication process.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected JavaScript is executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, initiate the OAuth authentication process using Spotipy, which will start a local HTTP server on port 8080. An attacker can then craft a URL that includes a malicious script in the error parameter and send it to the user. When the user clicks the link, the script will execute in their browser.

Remediation

Users can update to Spotipy version 2.25.2 or later, where this vulnerability has been patched.