CVE-2025-54599 — HIGH (7.5)

Q: How severe is CVE-2025-54599?

CVE-2025-54599 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2025-54599?

Check the references section above for vendor advisories and patch information. Affected products include: Bevy Events And Groups.

Vulnerability Description

The Bevy Event service through 2025-07-22, as used for eBay Seller Events and other activities, allows account takeover, if SSO is used, when a victim changes the email address that they have configured. To exploit this, an attacker would create their own account and perform an SSO login. The root cause of the issue is SSO misconfiguration.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Bevy	Events And Groups	<= 2025-07-22

Related Weaknesses (CWE)

CWE-284

References

https://bevy.com/b/events-and-groupsProduct
https://gist.github.com/deep1chil/558e8da919690a634bec684e7c4d0ffeExploitThird Party Advisory
https://www.youtube.com/watch?v=wbmIvA09Ra8Exploit

FAQ

What is CVE-2025-54599?

CVE-2025-54599 is a vulnerability with a CVSS score of 7.5 (HIGH). The Bevy Event service through 2025-07-22, as used for eBay Seller Events and other activities, allows account takeover, if SSO is used, when a victim changes the email address that they have configur...

How severe is CVE-2025-54599?

CVE-2025-54599 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-54599?

Check the references section above for vendor advisories and patch information. Affected products include: Bevy Events And Groups.