CVE-2025-54598
📋 TL;DR
This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in the Bevy Event service that allows attackers to trick authenticated users into deleting all their notifications. The vulnerability affects eBay sellers and other users of the Bevy Event service through July 22, 2025. Attackers can exploit this by crafting malicious web pages that trigger unauthorized requests to the /notifications/delete/ endpoint.
💻 Affected Systems
- Bevy Event service
📦 What is this software?
Bevy by Bevy
⚠️ Risk & Real-World Impact
Worst Case
Attackers could mass-delete notifications for all users, potentially causing users to miss critical event updates, payment notifications, or security alerts, leading to business disruption and financial loss.
Likely Case
Targeted attacks against specific users to delete their notifications, causing confusion and missed important updates about events, sales, or communications.
If Mitigated
With proper CSRF protections, the vulnerability would be prevented, and users would only be able to delete their own notifications through legitimate authenticated requests.
🎯 Exploit Status
Exploitation requires the victim to be authenticated to the Bevy Event service and visit a malicious webpage. The attacker must craft a CSRF payload targeting the /notifications/delete/ endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2025-07-22
Vendor Advisory: https://bevy.com/b/events-and-groups
Restart Required: No
Instructions:
1. Update Bevy Event service to version after 2025-07-22. 2. Verify CSRF tokens are implemented on all state-changing endpoints. 3. Test the /notifications/delete/ endpoint to ensure it rejects requests without valid CSRF tokens.
🔧 Temporary Workarounds
Implement CSRF Protection
allAdd CSRF tokens to the /notifications/delete/ endpoint and validate them on the server side.
SameSite Cookie Attribute
allSet SameSite=Strict or SameSite=Lax attributes on session cookies to prevent cross-site requests.
🧯 If You Can't Patch
- Implement a web application firewall (WAF) rule to block requests to /notifications/delete/ without proper referrer headers or CSRF tokens.
- Monitor and alert on unusual patterns of notification deletion activity in user logs.
🔍 How to Verify
Check if Vulnerable:
Test if the /notifications/delete/ endpoint accepts POST requests without CSRF tokens by attempting to submit a form from a different origin.Check Version:
Check the Bevy Event service version in the application interface or configuration files.Verify Fix Applied:
Verify that the /notifications/delete/ endpoint now requires and validates CSRF tokens, rejecting requests without them.📡 Detection & Monitoring
Log Indicators:
- Multiple DELETE requests to /notifications/delete/ from the same IP in a short timeframe
- Requests to /notifications/delete/ without proper referrer headers
Network Indicators:
- Unusual patterns of POST requests to /notifications/delete/ endpoint
- Requests originating from unexpected domains or IPs
SIEM Query:
source="web_server_logs" AND uri="/notifications/delete/" AND (NOT referrer CONTAINS "expected-domain.com" OR referrer IS NULL)