Home / Vulnerability Intelligence / CVE-2025-69871

CVE-2025-69871 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: February 12, 2026

MedusaJS Medusa - Race Condition

Published: February 11, 2026Updated: February 12, 2026Remote Exploitable

Overview

MedusaJS Medusa <= 2.12.2 contains a race condition caused by non-atomic read-check-update in registerUsage() of the promotion module, letting unauthenticated remote attackers bypass usage limits, exploit requires concurrent checkout requests.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 3.6%(Probability of exploitation in next 30 days)

Impact

Attackers can bypass promotion usage limits, enabling unlimited redemptions and causing potential financial loss.

Mitigation

Update to a version later than 2.12.2 or the latest available version.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 13, 2026

🟠 CVE-2025-69871 - High (8.1) A race condition vulnerability exists in MedusaJS Medusa v2.12.2 and earlier in the registerUsage() function of the promotion module. The function performs a non-atomic read-check-update operation when enforcing promotion usage limits. This allows... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-69871/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2025-69871
Severity: High
CVSS Score: 8.1
Type: race_condition
Status: unconfirmed
EPSS: 3.6%
Social Posts: 1

CWE

CWE-362

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

3.6%Probability of exploitation in the next 30 days