PT-2026-28608 · Mppx · Mppx
Samczsun
+1
·
Publicado
2026-03-29
·
Atualizado
2026-03-31
·
CVE-2026-34210
CVSS v3.1
8.1
Alta
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
mppx versions prior to 0.4.11
Description
mppx is a TypeScript interface for machine payments protocol. The
stripe/charge payment method did not validate Stripe's Idempotent-Replayed response header when creating PaymentIntents. This allowed an attacker to replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This enabled an attacker to pay once and consume unlimited resources by replaying the credential. The affected API endpoint is the stripe/charge payment method.Recommendations
Update to version 0.4.11 or later.
Exploit
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Mppx