GHSA-vh5j-5fhq-9xwg: Taylor has race condition in /get-patch that allows purchase token replay

June 27, 2025 (updated June 30, 2025)

The /get-patch endpoint processes a purchase in two separate database queries: a SELECT that verifies the token is unused, followed by an UPDATE that marks the token as used. Because SQLite only guards each statement, a malicious actor can issue two requests at the exact same moment and have both SELECT statements succeed before either UPDATE runs.

References

github.com/advisories/GHSA-vh5j-5fhq-9xwg
github.com/tailot/taylored
github.com/tailot/taylored/commit/fdf67a6fba0deae30912905a79fb5a9e83751a79
github.com/tailot/taylored/security/advisories/GHSA-vh5j-5fhq-9xwg

Code Behaviors & Features

Detect and mitigate GHSA-vh5j-5fhq-9xwg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →