spotipy-dev/spotipy 2.22.1
2.22.1: CVE-2023-23608

on GitHub

latest releases: 2.24.0, 2.23.0

17 months ago

Fixed

CVE-2023-23608: fixed path traversal vulnerability that may lead to type confusion in URI handling code. Can prevent a potential XSS attack.
- Upgrade if your app is user-facing and it allows user inputs for any type of Spotify IDs/URIs/URLs that may be forwarded to the Spotify API. Thanks to @Shaderbug for finding and fixing this bug b1db0b6

Changed

Modified docstring for deprecated playlist_add_items() to accept "only URIs or URLs", with intended fix for IDs in v3.
- The bug still exists for developers dealing with episodes IDs rather than just track IDs. However it is recommended to use the new playlist_add_tracks() or playlist_add_episodes() if dealing with episodes or simply to avoid confusion. See #919 by @oliveraw for context

Check out latest releases or
releases around spotipy-dev/spotipy 2.22.1

Don't miss a new spotipy release

NewReleases is sending notifications on new releases.

Get notifications