resolved
Lack of minimum value bid wheel verification on customer_bid in Rental Trips
Bug reported by Sameer Ali was disclosed at November 20, 2025, 5:46 am | Business Logic Errors
A missing validation on the customer_bid field when creating rental trips allowed passengers to submit arbitrary bid amounts, including very low fares. Proper validation was added to prevent unrealistic values.
resolved
Customer can cancel a individual booking in a batch, causing locking of partner.
Bug reported by Sameer Ali was disclosed at November 20, 2025, 5:32 am | Business Logic Errors
The vulnerability allowed users to update the status of individual trips inside a batch, even though only batch-level status changes were intended. By cancelling the single trip inside a one-parcel batch, the batch was placed into an inconsistent state, causing the assigned partner to become stuck in a booking they could not complete or cancel.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
