MedusaJS Medusa Race Condition Vulnerability in Promotion Module Usage Limit Enforcement

A race condition vulnerability has been identified in MedusaJS Medusa versions 2.12.0 prior to 2.13.1, within the promotion module's 'registerUsage()' function. This vulnerability arises from a non-atomic read-check-update process when managing promotion usage limits. As a result, unauthenticated remote attackers can exploit this flaw by sending simultaneous checkout requests, bypassing usage restrictions and allowing unlimited redemptions of promotional codes, which could lead to significant financial losses for merchants.

Impact

Exploitation of this vulnerability allows for unlimited redemptions of limited-use promotional codes, causing direct financial loss to merchants. Additionally, it disrupts the accuracy of promotion usage tracking, leading to unreliable audit trails and potential overages in campaign budgets.

Reproduction

To reproduce this vulnerability, create multiple shopping carts with the same limited-use promotion code. After preparing the carts for checkout, send concurrent HTTP POST requests to complete the checkout process for all carts simultaneously. This will bypass the promotion usage limit, as multiple requests can be processed before the database is updated.

Remediation

The vulnerability can be addressed by implementing atomic database operations for updating promotion usage counts, ensuring that the read-check-update process is completed in a single, indivisible transaction. Alternatively, promotions can be locked at the database level to prevent concurrent modifications.