A race condition vulnerability exists in MedusaJS Medusa v2.12.2 and earlier in the registerUsage() function of the promotion module. The function performs a non-atomic read-check-update operation when enforcing promotion usage limits. This allows unauthenticated remote attackers to bypass usage limits by sending concurrent checkout requests, resulting in unlimited redemptions of limited-use promotional codes and potential financial loss.
Metrics
Affected Vendors & Products
No data.
No data.
No data.
No data.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Wed, 11 Feb 2026 18:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A race condition vulnerability exists in MedusaJS Medusa v2.12.2 and earlier in the registerUsage() function of the promotion module. The function performs a non-atomic read-check-update operation when enforcing promotion usage limits. This allows unauthenticated remote attackers to bypass usage limits by sending concurrent checkout requests, resulting in unlimited redemptions of limited-use promotional codes and potential financial loss. | |
| References |
|
Projects
Sign in to view the affected projects.
MITRE
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2026-02-11T18:09:28.332Z
Reserved: 2026-01-09T00:00:00.000Z
Link: CVE-2025-69871
Vulnrichment
No data.
NVD
Status : Received
Published: 2026-02-11T19:15:50.230
Modified: 2026-02-11T19:15:50.230
Link: CVE-2025-69871
Redhat
No data.
OpenCVE Enrichment
No data.
Weaknesses
No weakness.