| Title | songquanpeng oneapi v0.1.6-alpha(2023-04-26)– v0.6.11-preview.7(latest) Race Condition |
|---|
| Description | A race condition has been found in https://github.com/songquanpeng/one-api up to version 0.6.11-preview.7 on MySQL. The vulnerability is located in the redemption code top-up endpoint POST /api/user/topup, implemented in model/redemption.go function Redeem(). The developer attempted to protect this flow with a database transaction and a SELECT ... FOR UPDATE row lock, but the implementation uses tx.Set("gorm:query_option", "FOR UPDATE") — a key that is silently ignored by GORM v2. As a result, the FOR UPDATE clause is never appended to the SQL query and the row lock is never acquired. Two concurrent transactions can both read the same one-time redemption code as enabled, both pass the status check, and both commit — crediting the full quota value to two different user accounts from a single code. An attacker with two regular user accounts and one valid redemption code can redeem the same code simultaneously, receiving the full face-value quota on each account without additional cost. The vendor is not affected when running with a SQLite backend. Patch link is:https://github.com/songquanpeng/one-api/pull/2399 |
|---|
| Source | ⚠️ https://github.com/songquanpeng/one-api/issues/2397 |
|---|
| User | star5o (UID 91627) |
|---|
| Submission | 05/19/2026 17:27 (22 days ago) |
|---|
| Moderation | 06/07/2026 11:01 (19 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 369085 [songquanpeng one-api up to 0.6.11-preview.7 Redemption Code Top-Up Endpoint model/redemption.go Redeem logic error] |
|---|
| Points | 20 |
|---|