| Название | songquanpeng oneapi v0.1.6-alpha(2023-04-26)– v0.6.11-preview.7(latest) Race Condition |
|---|
| Описание | A race condition has been found in https://github.com/songquanpeng/one-api up to version 0.6.11-preview.7 on MySQL. The vulnerability is located in the redemption code top-up endpoint POST /api/user/topup, implemented in model/redemption.go function Redeem(). The developer attempted to protect this flow with a database transaction and a SELECT ... FOR UPDATE row lock, but the implementation uses tx.Set("gorm:query_option", "FOR UPDATE") — a key that is silently ignored by GORM v2. As a result, the FOR UPDATE clause is never appended to the SQL query and the row lock is never acquired. Two concurrent transactions can both read the same one-time redemption code as enabled, both pass the status check, and both commit — crediting the full quota value to two different user accounts from a single code. An attacker with two regular user accounts and one valid redemption code can redeem the same code simultaneously, receiving the full face-value quota on each account without additional cost. The vendor is not affected when running with a SQLite backend. Patch link is:https://github.com/songquanpeng/one-api/pull/2399 |
|---|
| Источник | ⚠️ https://github.com/songquanpeng/one-api/issues/2397 |
|---|
| Пользователь | star5o (UID 91627) |
|---|
| Представление | 19.05.2026 17:27 (20 дни назад) |
|---|
| Модерация | 07.06.2026 11:01 (19 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 369085 [songquanpeng one-api до 0.6.11-preview.7 Redemption Code Top-Up Endpoint model/redemption.go Redeem] |
|---|
| Баллы | 20 |
|---|