Executive Summary

CVE-2025-54598 is a Cross-Site Request Forgery (CSRF) vulnerability in the Bevy Event service used for eBay Seller Events. It allows an attacker to trick an authenticated administrator into unknowingly sending a request that deletes all user notifications via the /notifications/delete/ URI. This happens when the admin visits a malicious webpage that automatically triggers the deletion request without their consent or awareness. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can disrupt communication and visibility within the platform by deleting all user notifications without authorization. It may also be leveraged to facilitate privilege abuse or denial-of-service attacks when combined with other vulnerabilities, potentially impacting system integrity and user trust. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized GET requests to the /notifications/delete/ URI on the Bevy Event service. Network or web server logs can be searched for such requests, especially those triggered without user interaction. For example, using command-line tools like grep on server logs: grep "/notifications/delete/" /var/log/access.log. Additionally, inspecting web traffic for suspicious GET requests to this endpoint can help identify exploitation attempts. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying the vendor's patch released on June 24, 2025, which addresses the CSRF vulnerability. Until the patch is applied, implement CSRF protections such as requiring POST requests with anti-CSRF tokens for the /notifications/delete/ endpoint, or restricting access to this URI to trusted users only. Additionally, educating users to avoid visiting untrusted webpages while authenticated can reduce risk. [1]

Useful 0 Not Useful 0