{"repro_id":"REPRO-2026-00115","version":6,"title":"eBay MCP Server Environment Variable Injection via Crafted Prompts","repro_type":"security","status":"published","severity":"critical","description":"An attacker can inject arbitrary environment variables into the `.env` file. This could lead to:\n- **Configuration Overwrites**: Attackers can overwrite critical settings like `EBAY_REDIRECT_URI` to hijack OAuth flows.\n- **Denial of Service**: Injecting invalid configuration can prevent the server from starting.\n- **Potential RCE**: In some environments, controlling environment variables (like `NODE_OPTIONS`) can lead to Remote Code Execution.\n\nFound with [MCPwner](https://github.com/Pigyon/MCPwner) 🕶","root_cause":"# Root Cause Analysis: GHSA-97rm-xj73-33jh\n\n## Summary\n\nThe ebay-mcp package (versions <= 1.7.2) contains an environment variable injection vulnerability in the `updateEnvFile` function located in `src/auth/oauth.ts`. This function is called by the `ebay_set_user_tokens` and `ebay_set_user_tokens_with_expiry` MCP tools to persist OAuth tokens to the `.env` file. The function blindly wraps token values in double quotes without sanitizing newline characters (`\\n`), allowing attackers to inject arbitrary environment variables into the configuration file. This could lead to OAuth flow hijacking, denial of service, or potentially remote code execution via controlled environment variables like `NODE_OPTIONS`.\n\n## Impact\n\n**Package:** ebay-mcp (npm)\n**Affected Versions:** <= 1.7.2\n**Severity:** HIGH (CVSS 8.3)\n\n**Consequences:**\n- **Configuration Overwrites:** Attackers can overwrite critical settings like `EBAY_REDIRECT_URI` to redirect OAuth callbacks to attacker-controlled endpoints\n- **Denial of Service:** Injecting malformed configuration can prevent the server from starting\n- **Potential RCE:** In environments where environment variables control execution (e.g., `NODE_OPTIONS`), attackers may achieve remote code execution\n\n## Root Cause\n\nThe vulnerability exists in the `updateEnvFile` function which constructs `.env` file entries using string interpolation:\n\n```typescript\nconst newLine = `${key}=\"${value}\"`;\n```\n\nThis approach fails to:\n1. Escape newline characters (`\\n`) within the value\n2. Validate or sanitize user-controlled input before writing to the file system\n\nWhen a token value containing a newline is processed, the newline character terminates the quoted string early and begins a new line in the file. For example, a token value of:\n```\nv1.MTIzNDU2Nzg5MA==\\nATTACK_VAR=malicious_value\n```\n\nResults in the following `.env` content:\n```\nEBAY_USER_ACCESS_TOKEN=\"v1.MTIzNDU2Nzg5MA==\nATTACK_VAR=malicious_value\"\n```\n\nThis effectively injects `ATTACK_VAR=malicious_value` as a separate environment variable.\n\n**Fix Commit:** https://github.com/YosefHayim/ebay-mcp/commit/aab0bda75ea9dd27aa37d0d8524d7cf41b3c4a9a\n\nThe fix replaces the manual string manipulation with proper parsing and serialization using the `dotenv` and `dotenv-stringify` libraries, which correctly handle special characters.\n\n## Reproduction Steps\n\nThe reproduction script is located at `repro/reproduction_steps.sh`. It:\n\n1. Creates a minimal Node.js environment with the vulnerable `updateEnvFile` function\n2. Sets up an initial `.env` file with legitimate configuration\n3. Simulates calling the function with malicious tokens containing newlines\n4. Parses the resulting `.env` file to verify arbitrary variable injection\n\n**Expected Evidence:**\nThe script should output confirmation that environment variables `ATTACK_VAR` and `SECOND_ATTACK` were successfully injected into the `.env` file.\n\n## Evidence\n\n**Log Location:** `logs/reproduction_output.log`\n\n**Key Excerpts:**\n\n```\n=== Resulting .env file after injection ===\nEBAY_APP_ID=test_app\nEBAY_CERT_ID=test_cert\nEBAY_REDIRECT_URI=https://example.com/callback\n\nEBAY_USER_ACCESS_TOKEN=\"v1.MTIzNDU2Nzg5MA==\nATTACK_VAR=malicious_value_injected\"\nEBAY_USER_REFRESH_TOKEN=\"v1.AbCdEfGhIjKl\nSECOND_ATTACK=second_payload\"\n\n=== Vulnerability Analysis ===\n❌ VULNERABILITY CONFIRMED: Environment variable injection successful!\nInjected variables:\n  - ATTACK_VAR=malicious_value_injected\"\n  - SECOND_ATTACK=second_payload\"\n```\n\n**Environment Details:**\n- Tested with Node.js (via shell script using ES modules)\n- ebay-mcp version <= 1.7.2 (vulnerable code extracted from source)\n\n## Recommendations / Next Steps\n\n**Immediate Actions:**\n1. Upgrade ebay-mcp to the patched version (commit aab0bda or later)\n2. Audit existing `.env` files for injected malicious variables if the server has been running in untrusted environments\n\n**Long-term Security Improvements:**\n1. Implement input validation on all user-controlled data before file system operations\n2. Use established libraries (like dotenv with proper serialization) rather than custom string manipulation for configuration files\n3. Consider using temporary files and atomic moves to prevent partial writes\n4. Add security unit tests specifically for injection vectors (newlines, quotes, null bytes)\n\n**Testing Recommendations:**\n- Add regression test with malicious token payloads containing: `\\n`, `\\r`, `\"`, `'`, `$`, backticks\n- Verify that the dotenv-stringify library properly escapes these characters\n- Test with Unicode and multi-byte characters\n\n## Additional Notes\n\n**Idempotency Confirmation:** The reproduction script was run twice consecutively with identical results, confirming reproducibility.\n\n**Edge Cases:**\n- The vulnerability also affects the `refreshUserAccessToken` method which calls `updateEnvFile` with refreshed tokens from eBay's API\n- If an attacker compromises the eBay API or performs a man-in-the-middle attack, they could inject malicious tokens at the source\n- The `.env` file permissions should be restrictive (600) to prevent other users from reading injected secrets\n\n**Related CWEs:**\n- CWE-15: External Control of System or Configuration Setting\n- CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')\n","ghsa_id":"GHSA-97rm-xj73-33jh","cve_id":"CVE-2026-27203","package":{"name":"@anthropic-ai/ebay-mcp-server","ecosystem":"npm","affected_versions":"<= 1.7.2"},"reproduced_at":"2026-02-20T16:12:37.510665+00:00","duration_secs":699.9104220867157,"tool_calls":114,"turns":65,"handoffs":2,"total_cost_usd":0.3759167000000001,"agent_costs":{"repro":0.0897345,"support":0.0273011,"vuln_variant":0.25888110000000003},"cost_breakdown":{"repro":{"accounts/fireworks/models/kimi-k2p5":0.0897345},"support":{"accounts/fireworks/models/kimi-k2p5":0.0273011},"vuln_variant":{"accounts/fireworks/models/kimi-k2p5":0.25888110000000003}},"quality":{"idempotent_verified":false,"community_verifications":0},"published_at":"2026-02-20T16:12:38.680938+00:00","retracted":false,"artifacts":[{"path":"repro/rca_report.md","filename":"rca_report.md","size":5296,"category":"analysis"},{"path":"repro/reproduction_steps.sh","filename":"reproduction_steps.sh","size":3947,"category":"reproduction_script"},{"path":"bundle/ticket.json","filename":"ticket.json","size":6223,"category":"other"},{"path":"bundle/ticket.md","filename":"ticket.md","size":1723,"category":"ticket"},{"path":"bundle/source.json","filename":"source.json","size":3989,"category":"other"},{"path":"logs/variant_test.log","filename":"variant_test.log","size":2519,"category":"log"},{"path":"logs/reproduction_output.log","filename":"reproduction_output.log","size":975,"category":"log"}]}