Description
Sylius is an Open Source eCommerce Framework on Symfony. A Time-of-Check To Time-of-Use (TOCTOU) race condition was discovered in the promotion usage limit enforcement. The same class of vulnerability affects the promotion usage limit (the global used counter on Promotion entities), coupon usage limit (the global used counter on PromotionCoupon entities), and coupon per-customer usage limit (the per-customer redemption count on PromotionCoupon entities). In all three cases, the eligibility check reads the used counter (or order count) from an in-memory Doctrine entity during validation, while the actual usage increment in OrderPromotionsUsageModifier happens later during order completion — with no database-level locking or atomic operations between the two phases. Because Doctrine flushes an absolute value (SET used = 1) rather than an atomic increment (SET used = used + 1), and because the affected entities lack optimistic locking, concurrent requests all read the same stale usage counts and pass the eligibility checks simultaneously. An attacker can exploit this by preparing multiple carts with the same limited-use promotion or coupon and firing simultaneous PATCH /api/v2/shop/orders/{token}/complete requests. All requests pass the usage limit checks and complete successfully, allowing a single-use promotion or coupon to be redeemed an arbitrary number of times. The per-customer limit can be bypassed in the same way by a single customer completing multiple orders concurrently. No authentication is required to exploit this vulnerability. This may lead to direct financial loss through unlimited redemption of limited-use promotions and discount coupons. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.
Published: 2026-03-10
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Financial Loss via Unlimited Promotion Redemption
Action: Apply Patch
AI Analysis

Impact

Sylius exposes a Time‑of‑Check to Time‑of‑Use race condition that allows an attacker to bypass promotion and coupon usage limits. The bug arises because the eligibility check reads the usage counter from memory, while the increment occurs later, without database locking or atomic operations. Because Doctrine writes a fixed value instead of an atomic increment and the entities lack optimistic locking, concurrent order completions can pass the eligibility test multiple times, enabling unlimited redemptions of a promotion or coupon that was intended to be single‑use or customer‑limited. This failure is exploitable without authentication and can lead to direct financial loss for merchants offering discounted or promotional items. The weakness is identified as CWE‑362 and CWE‑367.

Affected Systems

Sylius Sylius is affected. The fix is available in the following releases: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3, and all later versions.

Risk and Exploitability

The CVSS score of 8.2 designates high severity, though the EPSS score of <1% indicates a very low probability of automated exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Nevertheless, because authentication is not required and the attack path involves a straightforward race scenario triggered by concurrent PATCH /api/v2/shop/orders/{token}/complete requests, an attacker could programmatically generate multiple orders or craft simultaneous requests to unlock the promotion counters, achieving the undesired unlimited use. The direct financial loss potential and the lack of authentication barriers elevate the risk for e‑commerce operators using Sylius.

Generated by OpenCVE AI on April 16, 2026 at 09:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sylius to at least version 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, or 2.2.3 and later to apply the vendor fix.
  • If immediate upgrade is not possible, temporarily disable promotions or coupons with usage limits to prevent additional redemptions until the patch is applied.
  • Apply database‑level locking or atomic increments on promotion usage counters to mitigate race conditions until a full fix is available.

Generated by OpenCVE AI on April 16, 2026 at 09:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7mp4-25j8-hp5q Sylius has a Promotion Usage Limit Bypass via Race Condition
History

Wed, 11 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Sylius
Sylius sylius
Vendors & Products Sylius
Sylius sylius

Tue, 10 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description Sylius is an Open Source eCommerce Framework on Symfony. A Time-of-Check To Time-of-Use (TOCTOU) race condition was discovered in the promotion usage limit enforcement. The same class of vulnerability affects the promotion usage limit (the global used counter on Promotion entities), coupon usage limit (the global used counter on PromotionCoupon entities), and coupon per-customer usage limit (the per-customer redemption count on PromotionCoupon entities). In all three cases, the eligibility check reads the used counter (or order count) from an in-memory Doctrine entity during validation, while the actual usage increment in OrderPromotionsUsageModifier happens later during order completion — with no database-level locking or atomic operations between the two phases. Because Doctrine flushes an absolute value (SET used = 1) rather than an atomic increment (SET used = used + 1), and because the affected entities lack optimistic locking, concurrent requests all read the same stale usage counts and pass the eligibility checks simultaneously. An attacker can exploit this by preparing multiple carts with the same limited-use promotion or coupon and firing simultaneous PATCH /api/v2/shop/orders/{token}/complete requests. All requests pass the usage limit checks and complete successfully, allowing a single-use promotion or coupon to be redeemed an arbitrary number of times. The per-customer limit can be bypassed in the same way by a single customer completing multiple orders concurrently. No authentication is required to exploit this vulnerability. This may lead to direct financial loss through unlimited redemption of limited-use promotions and discount coupons. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.
Title Sylius has a Promotion Usage Limit Bypass via Race Condition
Weaknesses CWE-362
CWE-367
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Sylius Sylius
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T15:59:35.695Z

Reserved: 2026-03-09T17:41:56.077Z

Link: CVE-2026-31824

cve-icon Vulnrichment

Updated: 2026-03-11T15:53:31.148Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T22:16:20.137

Modified: 2026-03-11T19:30:24.990

Link: CVE-2026-31824

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:30:06Z

Weaknesses