# Race Condition in Concurrent Operations

- ID: javascript-race-conditions
- Severity: HIGH
- CWE: Race Condition (CWE-362)
- Languages: JavaScript, TypeScript
- Frameworks: nodejs, express, fastify, nextjs

## Description

Detects time-of-check to time-of-use (TOCTOU) vulnerabilities where
the state can change between checking a condition and acting on it.

Common race conditions include:
- Check balance, then deduct (balance can change in between)
- Check inventory, then create order (stock can be sold out)
- Check permissions, then perform action (permissions can change)
- File existence check, then read/write (file can be modified)

## Detection Message

Race condition at {location} - check and act are not atomic

## Remediation

Use database transactions for atomic operations:

```javascript
// ✅ SAFE - Atomic operation with transaction
const transaction = await db.transaction();
try {
  const account = await Account.findOne({
    where: { userId },
    lock: transaction.LOCK.UPDATE,
    transaction
  });

  if (account.balance < amount) {
    await transaction.rollback();
    throw new Error('Insufficient funds');
  }

  await account.update(
    { balance: account.balance - amount },
    { transaction }
  );

  await transaction.commit();
} catch (error) {
  await transaction.rollback();
  throw error;
}
```

## Documentation

[object Object]

## Related Rules

- **Concurrent Slice Access** [HIGH]: 
- **Direct Map Access on Thread-Safe Struct** [HIGH]: 
- **Potential Race Condition** [MEDIUM]: 
- **WaitGroup Misuse** [HIGH]: 
- **Potential Race Condition** [MEDIUM]: