GHSA-r77h-rpp9-w2xm

Описание

Summary

XSS vulnerability in OAuth callback server allows JavaScript injection through unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication.

Details

Vulnerable Code: spotipy/oauth2.py lines 1238-1274 (RequestHandler.do_GET)

The Problem: During OAuth flow, spotipy starts a local HTTP server to receive callbacks. The server reflects the error URL parameter directly into HTML without sanitization.

Vulnerable code at line 1255:

Then embedded in HTML at line 1265:

The error parameter comes from URL parsing (lines 388-393) without HTML escaping, allowing script injection.

Attack Flow:

1. User starts OAuth authentication → local server runs on http://127.0.0.1:8080
2. Attacker crafts malicious URL: http://127.0.0.1:8080/?error=<script>alert(1)</script>&state=x
3. User visits URL → JavaScript executes in localhost origin

PoC

Simple Python Test:

Run it:

Output shows:

The Proof:

• Expected (safe): <script>alert("XSS")</script>
• Actual (vulnerable): <script>alert("XSS")</script>
• The script tags are NOT escaped → XSS confirmed

Impact

Vulnerability Type: Cross-Site Scripting (XSS) - CWE-79

Affected Users: Anyone using spotipy's OAuth flow with localhost redirect URIs

Attack Complexity: Medium-High

• Requires timing (during brief OAuth window)
• Localhost-only (127.0.0.1)
• Requires user interaction (click malicious link)

Potential Impact:

• Execute JavaScript in localhost origin
• Access other localhost services (port scanning, API calls)
• Steal data from local web applications
• Extract OAuth tokens from browser storage
• Bypass CSRF protections on localhost endpoints

CVSS 3.1 Score: 4.2 (Medium)

• Attack Vector: Local
• Attack Complexity: High
• Privileges Required: None
• User Interaction: Required
• Scope: Unchanged
• Confidentiality/Integrity: Low

Recommended Fix: