CVE-2025-54598

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions: The Bevy Event service versions through 2025-07-22

Description: The Bevy Event service, used for eBay Seller Events and other activities, is susceptible to a Cross-Site Request Forgery (CSRF) issue. This flaw allows an attacker to delete all notifications by exploiting the /notifications/delete/ API endpoint.

Recommendations: Versions through 2025-07-22: Mitigate the issue by implementing CSRF protection mechanisms, such as synchronizer tokens, to validate requests originating from trusted sources.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2025-54598

Affected Products

Bevy Event Service

CVE-2025-54598

Weakness Enumeration

Related Identifiers

Affected Products

References · 7