CVE-2025-15116
Unknown Unknown - Not Provided
Race Condition in OpenCart Single-Use Coupon Handler Allows Remote Attack

Publication date: 2025-12-28

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in OpenCart up to 4.1.0.3. Affected by this issue is some unknown functionality of the component Single-Use Coupon Handler. Performing a manipulation results in race condition. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-28
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-28
EPSS Evaluated
2026-06-14
NVD
CVE-2025-15116
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opencart opencart 4.1.0.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a security flaw in OpenCart up to version 4.1.0.3, specifically in the Single-Use Coupon Handler component. It involves a race condition that can be triggered remotely. The attack is complex and difficult to exploit, but a public exploit has been released.

Impact Analysis

The vulnerability can impact you by allowing an attacker to manipulate the Single-Use Coupon Handler through a race condition, potentially leading to unauthorized actions or misuse of coupons. However, it does not affect confidentiality or availability, only integrity to a limited extent.

Detection Guidance

This vulnerability can be detected by monitoring for concurrent checkout requests that apply single-use coupons multiple times or cause inventory stock to go negative. Detection involves observing unusual patterns such as multiple orders using the same single-use coupon or negative inventory values. A practical approach is to simulate concurrent checkout requests using a script similar to the provided proof-of-concept Python script that sends multiple simultaneous guest checkout requests applying the coupon and placing orders. Specific commands would involve running such a multi-threaded script to test if the system improperly allows multiple uses of a single-use coupon or oversells inventory. However, no direct detection commands are provided in the resources. [2]

Mitigation Strategies

Immediate mitigation steps include implementing database locking mechanisms such as pessimistic locking (e.g., using `SELECT ... FOR UPDATE`) on coupon and product rows during checkout validation to ensure atomicity and prevent concurrent modifications. Additionally, enforcing database-level constraints like unsigned integers for stock quantities can prevent negative inventory values by rejecting invalid updates. Since no patches or official fixes are available, replacing or upgrading the affected component or product may be necessary. Monitoring for suspicious concurrent checkout activity and temporarily disabling single-use coupons until a fix is applied could also help reduce risk. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15116. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart