Bevy · Events/Groups · CVE-2025-54599
**Name of the Vulnerable Software and Affected Versions**
The Bevy Event service versions through 2025-07-22
**Description**
The Bevy Event service, used for eBay Seller Events and other activities, is susceptible to account takeover when Single Sign-On (SSO) is enabled and a victim modifies their configured email address. An attacker can create a new account and perform an SSO login to exploit this issue. The root cause is an SSO misconfiguration.
**Recommendations**
Versions through 2025-07-22: Review and correct the SSO configuration to prevent account takeover when email addresses are changed.