CVE-2026-31824
📋 TL;DR
This TOCTOU race condition vulnerability in Sylius eCommerce Framework allows attackers to bypass promotion and coupon usage limits by sending concurrent order completion requests. Unauthenticated attackers can exploit this to redeem limited-use promotions and coupons unlimited times, causing direct financial loss. All Sylius installations using affected versions are vulnerable.
💻 Affected Systems
- Sylius
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Unlimited redemption of all limited-use promotions and coupons leading to significant financial loss, inventory depletion, and business disruption.
Likely Case
Attackers exploit popular promotions/coupons for repeated discounts, causing measurable financial impact and potential abuse of per-customer limits.
If Mitigated
Limited impact if promotions have low value caps or monitoring detects abnormal redemption patterns quickly.
🎯 Exploit Status
Exploitation requires only concurrent HTTP requests to the order completion endpoint with the same promotion/coupon.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 or higher
Vendor Advisory: https://github.com/Sylius/Sylius/security/advisories/GHSA-7mp4-25j8-hp5q
Restart Required: Yes
Instructions:
1. Identify your Sylius version. 2. Upgrade to the patched version for your release line. 3. Clear cache and restart your application server. 4. Test promotion/coupon functionality.
🔧 Temporary Workarounds
Rate Limiting
allImplement strict rate limiting on /api/v2/shop/orders/{token}/complete endpoint to prevent concurrent requests.
Disable Vulnerable Features
allTemporarily disable all promotion and coupon usage limits until patching is complete.
🧯 If You Can't Patch
- Implement application-level locking or database-level atomic operations for promotion/coupon usage counters
- Deploy WAF rules to detect and block concurrent order completion requests with same promotion/coupon
🔍 How to Verify
Check if Vulnerable:
Check Sylius version via composer show sylius/sylius or app/console sylius:versionCheck Version:
composer show sylius/sylius | grep versionsVerify Fix Applied:
Verify version is patched and test promotion/coupon usage limits with concurrent requests📡 Detection & Monitoring
Log Indicators:
- Multiple order completions with same promotion/coupon within milliseconds
- Unusual spike in promotion/coupon redemptions
Network Indicators:
- Concurrent POST/PATCH requests to order completion endpoint
- Multiple requests with same promotion/coupon codes
SIEM Query:
source="web_logs" AND (uri="/api/v2/shop/orders/*/complete" OR uri LIKE "/api/v2/shop/orders/%/complete") | stats count by promotion_code, time_interval=1s