CVE-2025-69871: MedusaJS Promotion Usage Limit Race Condition Overview Description A Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability exists in MedusaJS Medusa versions v2.12.0 through v2.13.1. It allows attackers to bypass promotion usage limits by sending concurrent checkout requests. Affected Component File: Function: Lines: 339-352 Root Cause The function uses a non-atomic read-check-update sequence, creating a window for race conditions. Attack Scenario Two concurrent requests can both read the same "used" count, pass the limit check, and update the database, exceeding the limit. Steps to Reproduce 1. Create multiple shopping carts with the same promotion code. 2. Send concurrent HTTP POST requests to . 3. The promotion limit is bypassed. Impact Financial Loss: Unlimited redemption of discount codes. Campaign Budget Overrun: Exceeded promotion limits. Business Logic Bypass: Unreliable promotion usage tracking. Prior Identification An AI tool identified this vulnerability before code merge. Recommended Remediation 1. Atomic database operation: Use a single SQL statement for update. 2. Pessimistic locking: Lock the promotion row before reading. Timeline Credit Discovered by Ethan Taebeom Kim of Cremit.