What is GHSA-9rh9-hf3w-9fgg?

GHSA-9rh9-hf3w-9fgg is a security advisory published by GitHub Security Advisories with Medium severity. shopper/framework: Race condition on Discount.usage_limit allows silent over-redemption

Why does GHSA-9rh9-hf3w-9fgg have no CVE ID yet?

GitHub Security Advisories published this advisory directly to customers before NVD assigned a CVE ID. This is the embargo-window disclosure pattern — vendors notify customers on day 0; NVD's public record follows days to weeks later.

What is the CVSS v3 score of GHSA-9rh9-hf3w-9fgg?

GHSA-9rh9-hf3w-9fgg has a CVSS v3 base score of 5.9, published by GitHub Security Advisories.

Which products are affected by GHSA-9rh9-hf3w-9fgg?

GHSA-9rh9-hf3w-9fgg affects 1 product, including: composer/shopper/cart:\u003c 2.8.0.

GHSA-9rh9-hf3w-9fggMediumCVSS 5.9Disclosed before NVD

shopper/framework: Race condition on Discount.usage_limit allows silent over-redemption

Vendor

GitHub Security Advisories

Published

May 18, 2026

Last Modified

May 18, 2026

📋 Description

## Impact `CreateOrderFromCartAction::execute` previously created the `Order` row before checking and incrementing the discount's `total_use` counter. Under concurrent checkout pressure (Black Friday, flash sale, viral coupon), the global `usage_limit` was silently exceeded: orders were committed with the discount fully applied to `price_amount` while the counter blocked at `usage_limit`. The merchant had no signal that an over-redemption had occurred. A second related bug: `usage_limit_per_user` was effectively a no-op because the counter it relied on (`DiscountDetail.total_use`) was never incremented anywhere in the codebase. The per-user check therefore always saw `0` uses and validation passed regardless of how many times the same customer had previously redeemed the coupon. For `eligibility = Everyone` the per-user limit could not fire at all because the underlying `DiscountDetail` row only exists for `eligibility = Customers`. Direct financial loss: each over-redemption is a discount the merchant did not intend to grant. ## Patches Fixed in `v2.8.0`. `CreateOrderFromCartAction` now: - Reserves the discount slot atomically before the order row is created, inside the same `DB::transaction` with `lockForUpdate` and a compare-and-swap on `total_use`. - Throws `DiscountLimitReachedException::global` and rolls back the transaction when the global limit was exhausted between cart validation and commit. No order is committed. - Throws `DiscountLimitReachedException::perUser` and rolls back when the discount is restricted to one use per customer and the customer has already redeemed it. - Snapshots `discount_id`, `discount_code`, `discount_type`, `discount_value_at_apply` and `discount_currency_code` onto the `orders` table for resilience against later discount edits or deletions. `DiscountValidator` was updated to perform the same Order-based per-user check at cart-apply time so the rejection is surfaced before checkout. Upgrade via: `composer require shopper/cart:^2.8 shopper/core:^2.8` `php artisan migrate` ## Workarounds None. Upgrade to `v2.8.0`. ## Resources - Issue: https://github.com/shopperlabs/shopper/issues/510 - Pull request: https://github.com/shopperlabs/shopper/pull/511 - CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization

🎯 Affected products1

composer/shopper/cart:< 2.8.0

📋 Description

🎯 Affected products1

🔗 References (6)