CVE-2025-69871
Published: 11 February 2026
Summary
CVE-2025-69871 is a high-severity Race Condition (CWE-362) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identification, reporting, and correction of the race condition in registerUsage() to eliminate the non-atomic read-check-update vulnerability allowing unlimited promotion redemptions.
Denial-of-service protections including rate limiting concurrent requests prevent attackers from sending simultaneous checkouts needed to race past usage limit enforcement.
System monitoring identifies indicators of exploitation such as anomalous patterns of concurrent checkout requests bypassing promotion usage limits.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of public-facing MedusaJS web application via TOCTOU race condition to abuse promotion logic.
NVD Description
A race condition vulnerability exists in MedusaJS Medusa v2.12.2 and earlier in the registerUsage() function of the promotion module. The function performs a non-atomic read-check-update operation when enforcing promotion usage limits. This allows unauthenticated remote attackers to bypass usage limits…
more
by sending concurrent checkout requests, resulting in unlimited redemptions of limited-use promotional codes and potential financial loss.
Deeper analysisAI
CVE-2025-69871 is a race condition vulnerability (CWE-362) in MedusaJS Medusa versions 2.12.2 and earlier. The issue occurs in the registerUsage() function of the promotion module, which performs a non-atomic read-check-update operation when enforcing promotion usage limits. This Time-of-Check to Time-of-Use (TOCTOU) flaw has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.
Unauthenticated remote attackers can exploit the vulnerability by sending concurrent checkout requests to race past the usage limit checks. Successful exploitation allows attackers to redeem limited-use promotional codes unlimited times, bypassing intended restrictions and potentially leading to financial loss for merchants or services relying on MedusaJS for e-commerce promotions.
Mitigation is available via a patch in MedusaJS pull request #13760 on the project's GitHub repository (https://github.com/medusajs/medusa/pull/13760). Security practitioners should update to a fixed version beyond 2.12.2 and review the detailed disclosure at https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69871-MedusaJS-TOCTOU.md for reproduction steps and additional context.
Details
- CWE(s)