Bevy Event Service Cross-Site Request Forgery Vulnerability Allowing Unauthorized Deletion of Notifications
Vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Bevy Event service, affecting all versions prior to June 24, 2025. This vulnerability allows attackers to delete user notifications without authorization by sending crafted GET requests to the '/notifications/delete/' endpoint. When an authenticated admin unknowingly visits a malicious page, the attack is executed, removing notifications without consent.
Impact
Exploitation of this vulnerability leads to the unauthorized deletion of user notifications, disrupting communication and visibility on the platform. It could also facilitate further privilege abuse or denial-of-service scenarios if combined with other vulnerabilities.
Reproduction
To reproduce this vulnerability, an attacker must create a malicious webpage that, when visited by an authenticated admin, automatically sends a GET request to the '/notifications/delete/' endpoint. This can be done using an image tag or similar method to trigger the request without the user's knowledge.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.