aikido.dev Secure My Code

Intel/AIKIDO-2026-10390

AIKIDO-2026-10390

spree_core is vulnerable to Race Condition (TOCTOU)

Race Condition (TOCTOU) Pre-CVE

54

Medium Risk

This Affects:

RUBY

5.0.0 - 5.3.4

Fixed in 5.3.5

TL;DR

The gift card apply service computes the redeemable amount from gift_card.amount_remaining and order.total then creates store credits without holding a lock that covers both the gift card and the order. Under concurrent requests (e.g. the same gift card applied to multiple orders at once), the check and the credit creation can interleave so that the total store credits created exceed the gift card value, allowing overspend. The fix wraps the read and the store credit creation in order.with_lock and acquires gift_card.lock! inside it so the critical section is serialized.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

spree_core is vulnerable to Race Condition (TOCTOU) in versions 5.0.0 - 5.3.4.

How to fix this

Upgrade the spree_core or spree library to the patch version.

54

Medium Risk

This Affects:

RUBY

5.0.0 - 5.3.4

Fixed in 5.3.5

Links

github.com/spree/spree/releases/tag/v5.3.5

Get Secure Now

Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.

No credit card required | Scan results in 32secs.

Aikido Platform

Company

Resources

Industries

Use Cases

Compare

Legal

Connect

hello@aikido.dev

Security

Subscribe

Stay up to date with all updates

LinkedIn YouTube X

© 2026 Aikido Security BV | BE0792914919

Keizer Karelstraat 15, 9000, Ghent, Belgium

95 Third St, 2nd Fl, San Francisco, CA 94103, US

Unit 6.15 Runway East 18 18 Crucifix Ln, London SE1 3JW UK

Ghent, Belgium | San Francisco, US

SOC 2

ISO 27001

ISO 27001Compliant

Get Security Done