| عنوان | songquanpeng oneapi v0.1.6-alpha(2023-04-26)– v0.6.11-preview.7(latest) Race Condition |
|---|
| الوصف | A race condition has been found in https://github.com/songquanpeng/one-api up to version 0.6.11-preview.7 on MySQL. The vulnerability is located in the redemption code top-up endpoint POST /api/user/topup, implemented in model/redemption.go function Redeem(). The developer attempted to protect this flow with a database transaction and a SELECT ... FOR UPDATE row lock, but the implementation uses tx.Set("gorm:query_option", "FOR UPDATE") — a key that is silently ignored by GORM v2. As a result, the FOR UPDATE clause is never appended to the SQL query and the row lock is never acquired. Two concurrent transactions can both read the same one-time redemption code as enabled, both pass the status check, and both commit — crediting the full quota value to two different user accounts from a single code. An attacker with two regular user accounts and one valid redemption code can redeem the same code simultaneously, receiving the full face-value quota on each account without additional cost. The vendor is not affected when running with a SQLite backend. Patch link is:https://github.com/songquanpeng/one-api/pull/2399 |
|---|
| المصدر | ⚠️ https://github.com/songquanpeng/one-api/issues/2397 |
|---|
| المستخدم | star5o (UID 91627) |
|---|
| ارسال | 19/05/2026 05:27 PM (23 أيام منذ) |
|---|
| الاعتدال | 07/06/2026 11:01 AM (19 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 369085 [songquanpeng one-api حتى 0.6.11-preview.7 Redemption Code Top-Up Endpoint model/redemption.go Redeem] |
|---|
| النقاط | 20 |
|---|