CVE-2025-10216
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-10

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in GrandNode up to 2.3.0. The impacted element is an unknown function of the file /checkout/ConfirmOrder/ of the component Voucher Handler. The manipulation of the argument giftvouchercouponcode results in race condition. The attack may be launched remotely. The attack requires a high level of complexity. The exploitability is regarded as difficult. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-10
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10216
EUVD
EUVD-2025-27616
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
grandnode grandnode 2.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-10216 is a race condition vulnerability in GrandNode version 2.3.0, specifically in the Voucher Handler component at the /checkout/ConfirmOrder/ endpoint. It occurs due to manipulation of the giftvouchercouponcode argument, allowing multiple users or guest sessions to concurrently redeem the same voucher. This flaw enables attackers to bypass voucher usage restrictions and redeem a single voucher multiple times, leading to unauthorized financial gain. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing attackers to redeem the same voucher multiple times, resulting in unauthorized financial loss or abuse of voucher systems. Although exploitation is difficult and requires some user interaction, it compromises the integrity of the voucher redemption process and can lead to financial damage or loss of trust in the system. [1, 2]

Detection Guidance

Detection of this race condition vulnerability involves monitoring concurrent requests to the /checkout/ConfirmOrder/ endpoint, specifically looking for multiple simultaneous uses of the giftvouchercouponcode parameter. Network or application logs should be analyzed for repeated or overlapping voucher redemption attempts. Since a proof-of-concept exploit is publicly known, testing with controlled concurrent requests to this endpoint using the giftvouchercouponcode parameter may help identify if the system is vulnerable. Specific commands are not provided in the resources. [1, 2]

Mitigation Strategies

Immediate mitigation steps include monitoring and restricting concurrent voucher redemption attempts at the /checkout/ConfirmOrder/ endpoint. Since no patches or countermeasures are currently available and the vendor did not respond, it is recommended to consider alternative products or implement custom synchronization mechanisms to prevent race conditions in voucher redemption. Additionally, applying rate limiting, session validation, and enhanced logging may help reduce exploitation risk until a proper fix is available. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10216. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart