A Time-of-Check To Time-of-Use (TOCTOU) race condition has been identified in the Sylius eCommerce framework, specifically within the promotion and coupon usage limit enforcement. This vulnerability affects versions of Sylius through 1.9.11, 1.10.0 prior to 1.10.15, 1.11.0 prior to 1.11.16, 1.12.0 prior to 1.12.22, 1.13.0 prior to 1.13.14, 1.14.0 prior to 1.14.17, 2.0.0 prior to 2.0.15, 2.1.0 prior to 2.1.11, and 2.2.0 prior to 2.2.2. The vulnerability arises because the eligibility checks for promotion and coupon usage read from an in-memory Doctrine entity without proper database-level locking. As a result, concurrent requests can exploit this by bypassing usage limits and allowing limited-use promotions or coupons to be redeemed multiple times, potentially leading to financial loss.
Exploitation of this vulnerability allows for unlimited redemption of limited-use promotions and discount coupons, causing direct financial loss.
To reproduce this vulnerability, prepare multiple carts with the same limited-use promotion or coupon. Then, send simultaneous PATCH requests to complete the orders. All requests will pass the usage limit checks and be processed, allowing a single-use promotion or coupon to be redeemed multiple times. This vulnerability can also be reproduced by a single customer completing multiple orders at the same time, bypassing the per-customer coupon usage limit.
Sylius users can update to versions 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, or 2.2.3. For those unable to update, a workaround involves decorating the 'OrderPromotionsUsageModifier' service to use atomic operations based on database-synchronized values. Instructions for registering this decorator service are available in the advisory.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.
