CVE-2025-69871

Name of the Vulnerable Software and Affected Versions MedusaJS versions prior to 2.12.2

Description A race condition exists in the registerUsage() function within the promotion module. This function uses a non-atomic read-check-update process when managing promotion usage limits. This allows unauthenticated remote attackers to bypass these limits by sending multiple, simultaneous checkout requests. Successful exploitation can lead to unlimited redemptions of limited-use promotional codes and potential financial loss.

Recommendations Update to a version later than 2.12.2.