| タイトル | songquanpeng oneapi v0.1.6-alpha(2023-04-26)– v0.6.11-preview.7(latest) Race Condition |
|---|
| 説明 | A race condition has been found in https://github.com/songquanpeng/one-api up to version 0.6.11-preview.7 on MySQL. The vulnerability is located in the redemption code top-up endpoint POST /api/user/topup, implemented in model/redemption.go function Redeem(). The developer attempted to protect this flow with a database transaction and a SELECT ... FOR UPDATE row lock, but the implementation uses tx.Set("gorm:query_option", "FOR UPDATE") — a key that is silently ignored by GORM v2. As a result, the FOR UPDATE clause is never appended to the SQL query and the row lock is never acquired. Two concurrent transactions can both read the same one-time redemption code as enabled, both pass the status check, and both commit — crediting the full quota value to two different user accounts from a single code. An attacker with two regular user accounts and one valid redemption code can redeem the same code simultaneously, receiving the full face-value quota on each account without additional cost. The vendor is not affected when running with a SQLite backend. Patch link is:https://github.com/songquanpeng/one-api/pull/2399 |
|---|
| ソース | ⚠️ https://github.com/songquanpeng/one-api/issues/2397 |
|---|
| ユーザー | star5o (UID 91627) |
|---|
| 送信 | 2026年05月19日 17:27 (22 日 ago) |
|---|
| モデレーション | 2026年06月07日 11:01 (19 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 369085 [songquanpeng one-api 迄 0.6.11-preview.7 Redemption Code Top-Up Endpoint model/redemption.go Redeem] |
|---|
| ポイント | 20 |
|---|