PT-2025-28303 — Taylored

PT-2025-28303 · Npm · Taylored

Published

2025-06-27

Updated

2025-06-27

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Hi team,

I was looking at the recent fix and you limited the exploitability of race conditions but unfortunately it is still possible to exploit the issue since two requests happening at the exact same time will still go through. You should be able to completely fix the race conditions by leveraging SQLITE write lock and just send one query.

Summary

The /get-patch endpoint processes a purchase in two separate database queries: a SELECT that verifies the token is unused, followed by an UPDATE that marks the token as used. Because SQLite only guards each statement, a malicious actor can issue two requests at the exact same moment and have both SELECT statements succeed before either UPDATE runs.

Details

The handler executes (step 1):

SELECT id, token used at FROM purchases WHERE patch id = ? AND purchase token = ? AND status = 'COMPLETED'

If token used at IS NULL, the request passes the check (step 2):

    if (row.token used at) {
      return res.status(403).json({ error: "Purchase token has already been used." });
    }

The handler finally runs (step 3):

UPDATE purchases SET token used at = CURRENT TIMESTAMP WHERE id = ?

When two requests arrive at the same time, they both finish step 1 while the row is still unused. SQLite serializes writers only per statement, so each request believes it has exclusive access. Both decrypt and return the patch, and both UPDATE statements succeed.

PoC

To perform this attack, you need to send two requests at the exact same time.

Impact

An attacker who possesses a valid purchase token can replay it and receive multiple copies of the paid patch, or distribute one copy while still keeping their own. This results in revenue loss and undermines license enforcement.

Remediation

Replace the read-then-write sequence with a single atomic statement that both validates and consumes the token while SQLite holds the write lock:

const row = db.prepare(`
 UPDATE purchases
   SET token used at = CURRENT TIMESTAMP
  WHERE patch id    = ?
   AND purchase token = ?
   AND status     = 'COMPLETED'
   AND token used at IS NULL
 RETURNING id;
`).get(patchId, token);

if (!row) return res.status(403).json({ error: 'Invalid or already-used token.' });

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-362

Related Identifiers

GHSA-VH5J-5FHQ-9XWG

Affected Products

Taylored