CVE-2025-54598 in Event Service
Summary
by MITRE • 08/27/2025
The Bevy Event service through 2025-07-22, as used for eBay Seller Events and other activities, allows CSRF to delete all notifications via the /notifications/delete/ URI.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/29/2025
The vulnerability identified as CVE-2025-54598 affects the Bevy Event service version through 2025-07-22 which is utilized by eBay Seller Events and related activities. This represents a critical cross-site request forgery vulnerability that enables unauthorized deletion of all notifications through a specifically targeted URI endpoint. The service operates as a notification management system within eBay's seller ecosystem, handling critical event communications that sellers rely upon for business operations. The vulnerability exists due to insufficient validation of request origins and lack of proper anti-CSRF token implementation within the notification deletion functionality.
The technical flaw manifests through the absence of proper origin validation and anti-CSRF protection mechanisms in the /notifications/delete/ URI endpoint. When a malicious actor crafts a specially constructed request to this endpoint, the service processes the deletion command without verifying the legitimate source of the request. This vulnerability falls under CWE-352, which specifically addresses Cross-Site Request Forgery vulnerabilities, and demonstrates a classic lack of proper request validation controls. The flaw allows attackers to exploit the service's trust in authenticated sessions without proper token verification, enabling them to delete all notifications for affected users.
The operational impact of this vulnerability extends beyond simple notification deletion and represents a significant threat to eBay seller operations. Sellers rely on timely notifications for critical events such as order confirmations, shipping updates, return requests, and policy changes. Unauthorized deletion of all notifications could result in missed business opportunities, customer service failures, and potential financial losses. The vulnerability affects the integrity of the notification system and could be exploited to disrupt seller workflows, potentially leading to reputational damage for eBay and loss of seller confidence in the platform's reliability.
Mitigation strategies for this vulnerability should include immediate implementation of anti-CSRF tokens for all state-changing operations, particularly those involving notification management. The service must validate the origin of requests through proper referer header checking and implement same-site cookies with appropriate attributes. Security measures should also include rate limiting for notification deletion operations and logging of all deletion activities for audit purposes. Organizations should follow ATT&CK technique T1566.002 for credential access and T1499.004 for endpoint detection and response, ensuring that any unauthorized deletion attempts are detected and logged. The fix should also include implementing proper session management controls and ensuring that all sensitive operations require explicit user confirmation through secondary authentication mechanisms.