SCA: security update for sylius/sylius (GHSA-7mp4-25j8-hp5q)

medium Tenable Self-Hosted Container Security Plugin ID 438633

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Sylius is an Open Source eCommerce Framework on Symfony. A Time-of-Check To Time-of-Use (TOCTOU) race
condition was discovered in the promotion usage limit enforcement. The same class of vulnerability affects
the promotion usage limit (the global used counter on Promotion entities), coupon usage limit (the global
used counter on PromotionCoupon entities), and coupon per-customer usage limit (the per-customer
redemption count on PromotionCoupon entities). In all three cases, the eligibility check reads the used
counter (or order count) from an in-memory Doctrine entity during validation, while the actual usage
increment in OrderPromotionsUsageModifier happens later during order completion — with no database-level
locking or atomic operations between the two phases. Because Doctrine flushes an absolute value (SET used
= 1) rather than an atomic increment (SET used = used + 1), and because the affected entities lack
optimistic locking, concurrent requests all read the same stale usage counts and pass the eligibility
checks simultaneously. An attacker can exploit this by preparing multiple carts with the same limited-use
promotion or coupon and firing simultaneous PATCH /api/v2/shop/orders/{token}/complete requests. All
requests pass the usage limit checks and complete successfully, allowing a single-use promotion or coupon
to be redeemed an arbitrary number of times. The per-customer limit can be bypassed in the same way by a
single customer completing multiple orders concurrently. No authentication is required to exploit this
vulnerability. This may lead to direct financial loss through unlimited redemption of limited-use
promotions and discount coupons. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23,
1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above. (CVE-2026-31824)

Solution

Update the sylius/sylius library and its related packages to version 1.10.16 or later.

See Also

https://github.com/advisories/GHSA-7mp4-25j8-hp5q

Plugin Details

Severity: Medium

ID: 438633

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 3/11/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4

Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2026-31824

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/11/2026

Vulnerability Publication Date: 3/10/2026

Reference Information

CVE: CVE-2026-31824