CVE-2025-69871

Feb. 11, 2026, 7:15 p.m.

None
No Score

Description

A race condition vulnerability exists in MedusaJS Medusa v2.12.2 and earlier in the registerUsage() function of the promotion module. The function performs a non-atomic read-check-update operation when enforcing promotion usage limits. This allows unauthenticated remote attackers to bypass usage limits by sending concurrent checkout requests, resulting in unlimited redemptions of limited-use promotional codes and potential financial loss.

Product(s) Impacted

Vendor Product Versions
Medusajs
  • Medusa
  • 2.12.2

Weaknesses

Common security weaknesses mapped to this vulnerability.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a medusajs medusa 2.12.2 / / / / / / /

References

https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69871-MedusaJS-TOCTOU.md
https://github.com/medusajs/medusa
https://github.com/medusajs/medusa/pull/13760

Tags

[email protected]
2026-02-11
CVE-2025-69871

Timeline

Published: Feb. 11, 2026, 7:15 p.m.
Last Modified: Feb. 11, 2026, 7:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.