GHSA-97rm-xj73-33jh

Source

https://github.com/advisories/GHSA-97rm-xj73-33jh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-97rm-xj73-33jh/GHSA-97rm-xj73-33jh.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-97rm-xj73-33jh

Aliases

CVE-2026-27203

Published

2026-02-19T20:27:11Z

Modified

2026-02-23T23:43:54.564312Z

Severity

8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H CVSS Calculator

Summary

eBay API MCP Server Affected by Environment Variable Injection

Details

The ebay_set_user_tokens tool allows updating the .env file with new tokens. The updateEnvFile function in src/auth/oauth.ts blindly appends or replaces values without validating them for newlines or quotes. This allows an attacker to inject arbitrary environment variables into the configuration file.

Impact

An attacker can inject arbitrary environment variables into the .env file. This could lead to: - Configuration Overwrites: Attackers can overwrite critical settings like EBAY_REDIRECT_URI to hijack OAuth flows. - Denial of Service: Injecting invalid configuration can prevent the server from starting. - Potential RCE: In some environments, controlling environment variables (like NODE_OPTIONS) can lead to Remote Code Execution.

Found with MCPwner 🕶

Database specific

{
    "nvd_published_at": "2026-02-21T00:16:17Z",
    "github_reviewed_at": "2026-02-19T20:27:11Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-15",
        "CWE-74"
    ],
    "severity": "HIGH"
}

References

Affected packages

npm / ebay-mcp

Package

Name: ebay-mcp; View open source insights on deps.dev
Purl: pkg:npm/ebay-mcp

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.7.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-97rm-xj73-33jh/GHSA-97rm-xj73-33jh.json"