Listen to this Post
How the CVE Works:
The vulnerability occurs in SQLite when the `/get-patch` endpoint processes a purchase using two separate database queries: a `SELECT` to verify an unused token, followed by an `UPDATE` to mark it as used. SQLite’s per-statement locking allows concurrent requests to pass the `SELECT` check before either `UPDATE` executes, enabling race condition exploitation. Attackers sending simultaneous requests can reuse a valid token multiple times, bypassing purchase restrictions.
DailyCVE Form:
Platform: SQLite
Version:
Vulnerability: Race Condition
Severity: Critical
Date: 2023-06-15
Prediction: Patch expected by 2023-07-10
What Undercode Say:
-- Exploitable SELECT query SELECT id, token_used_at FROM purchases WHERE patch_id = ? AND purchase_token = ? AND status = 'COMPLETED'; -- Atomic fix (UPDATE + RETURNING) UPDATE purchases SET token_used_at = CURRENT_TIMESTAMP WHERE patch_id = ? AND purchase_token = ? AND status = 'COMPLETED' AND token_used_at IS NULL RETURNING id;
Exploit:
1. Acquire a valid purchase token.
2. Send concurrent requests to `/get-patch`.
3. Bypass single-use restriction.
Protection from this CVE:
- Replace read-then-write logic with atomic
UPDATE ... RETURNING. - Implement row-level locking or transaction isolation.
Impact:
- Revenue loss due to token replay.
- License enforcement bypass.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
