Description
The ebay_set_user_tokens tool allows updating the .env file with new tokens. The updateEnvFile function in src/auth/oauth.ts blindly appends or replaces values without validating them for newlines or quotes. This allows an attacker to inject arbitrary environment variables into the configuration file.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.7.2
References
Related Issues
- Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API - CVE-2026-30946
- Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter - CVE-2026-33539
- Parse Server: SQL injection via dot-notation field name in PostgreSQL - CVE-2026-31840
- Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL - CVE-2026-31856
- Tags:
- npm
- ebay-mcp
Anything's wrong? Let us know Last updated on February 23, 2026