GHSA-9rh9-hf3w-9fgg: shopper/framework: Race condition on Discount.usage_limit allows silent over-redemption
(updated )
CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount’s total_use counter. Under concurrent checkout pressure (Black Friday, flash sale, viral coupon), the global usage_limit was silently exceeded: orders were committed with the discount fully applied to price_amount while the counter blocked at usage_limit. The merchant had no signal that an over-redemption had occurred.
A second related bug: usage_limit_per_user was effectively a no-op because the counter it relied on (DiscountDetail.total_use) was never incremented anywhere in the codebase. The per-user check therefore always saw 0 uses and validation passed regardless of how many times the same customer had previously redeemed the coupon. For eligibility = Everyone the per-user limit could not fire at all because the underlying DiscountDetail row only exists for eligibility = Customers.
Direct financial loss: each over-redemption is a discount the merchant did not intend to grant.
References
- github.com/advisories/GHSA-9rh9-hf3w-9fgg
- github.com/shopperlabs/shopper/commit/fcd0c5920588702df5b874f432b1042abd77a50b
- github.com/shopperlabs/shopper/issues/510
- github.com/shopperlabs/shopper/pull/511
- github.com/shopperlabs/shopper/releases/tag/v2.8.0
- github.com/shopperlabs/shopper/security/advisories/GHSA-9rh9-hf3w-9fgg
- nvd.nist.gov/vuln/detail/CVE-2026-47741
Code Behaviors & Features
Detect and mitigate GHSA-9rh9-hf3w-9fgg with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →