Rate limit couponCode updates

Author: lukeholder

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## Unreleased
 
 - Fixed a bug where GraphQL queries using `relatedTo*` arguments within `hasProduct` or `hasVariant` inputs caused a server error. ([#4297](https://github.com/craftcms/commerce/issues/4297))
+- Cart requests that include a`couponCode` param are now rate-limited. (GHSA-h5gm-x9wr-vhcm)
 
 ## 5.6.4 - 2026-05-06
 

src/controllers/CartController.php

@@ -41,6 +41,11 @@
  */
 class CartController extends BaseFrontEndController
 {
+    /**
+     * Params that trigger IP-based rate limiting on cart actions.
+     */
+    const RATE_LIMITED_PARAMS = ['number', 'couponCode'];
+
     /**
      * @var Order The cart element
      */
@@ -88,14 +93,16 @@ public function behaviors(): array
                 'only' => ['get-cart', 'update-cart', 'load-cart', 'complete'],
                 'enableRateLimitHeaders' => false,
                 'user' => function() {
-                    // Only apply rate limiting when a cart number is explicitly passed
-                    $isActive = Craft::$app->getRequest()->getBodyParam('number') || Craft::$app->getRequest()->getQueryParam('number');
+                    // Only apply rate limiting when a cart number or coupon code is explicitly passed
+                    $request = Craft::$app->getRequest();
+                    $isActive = collect(self::RATE_LIMITED_PARAMS)
+                        ->contains(fn($param) => $request->getBodyParam($param) || $request->getQueryParam($param));
 
                     return $isActive ? new IpRateLimitIdentity([
                         'limit' => 1,
                         'window' => 1,
-                        'keyPrefix' => 'cart-number-rate-limit',
-                        'ip' => Craft::$app->getRequest()->getUserIP() ?? 'unknown',
+                        'keyPrefix' => 'cart-rate-limit',
+                        'ip' => $request->getUserIP() ?? 'unknown',
                     ]) : null;
                 },