CVE-2025-69871

Published: Feb 11, 2026

Modified: Feb 12, 2026

PUBLISHED

Description

A race condition vulnerability exists in MedusaJS Medusa v2.12.2 and earlier in the registerUsage() function of the promotion module. The function performs a non-atomic read-check-update operation when enforcing promotion usage limits. This allows unauthenticated remote attackers to bypass usage limits by sending concurrent checkout requests, resulting in unlimited redemptions of limited-use promotional codes and potential financial loss.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/medusajs/medusa/pull/13760

https://github.com/medusajs/medusa

https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69871-MedusaJS-TOCTOU.md

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-69871

Description

Affected Products

References