| tiêu đề | songquanpeng oneapi v0.1.6-alpha(2023-04-26)– v0.6.11-preview.7(latest) Race Condition |
|---|
| Mô tả | A race condition has been found in https://github.com/songquanpeng/one-api up to version 0.6.11-preview.7 on MySQL. The vulnerability is located in the redemption code top-up endpoint POST /api/user/topup, implemented in model/redemption.go function Redeem(). The developer attempted to protect this flow with a database transaction and a SELECT ... FOR UPDATE row lock, but the implementation uses tx.Set("gorm:query_option", "FOR UPDATE") — a key that is silently ignored by GORM v2. As a result, the FOR UPDATE clause is never appended to the SQL query and the row lock is never acquired. Two concurrent transactions can both read the same one-time redemption code as enabled, both pass the status check, and both commit — crediting the full quota value to two different user accounts from a single code. An attacker with two regular user accounts and one valid redemption code can redeem the same code simultaneously, receiving the full face-value quota on each account without additional cost. The vendor is not affected when running with a SQLite backend. Patch link is:https://github.com/songquanpeng/one-api/pull/2399 |
|---|
| Nguồn | ⚠️ https://github.com/songquanpeng/one-api/issues/2397 |
|---|
| Người dùng | star5o (UID 91627) |
|---|
| Đệ trình | 19/05/2026 17:27 (cách đây 20 ngày) |
|---|
| Kiểm duyệt | 07/06/2026 11:01 (19 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 369085 [songquanpeng one-api đến 0.6.11-preview.7 Redemption Code Top-Up Endpoint model/redemption.go Redeem] |
|---|
| điểm | 20 |
|---|