PT-2026-31361 · Npm · Mppx

Publicado

2026-03-29

·

Atualizado

2026-03-29

CVSS v4.0

9.3

Crítica

VetorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N

Impact

Multiple vulnerabilities were discovered in tempo/charge and tempo/session which allowed for undesirable behaviors, including:
  • Replaying tempo/charge transaction hashes across push/pull modes, across charge/session endpoints, and via concurrent requests
  • Performing free tempo/charge requests due to missing transfer log verification in pull-mode
  • Replaying tempo/charge credentials across routes via cross-route scope confusion (memo/splits not included in scope binding)
  • Manipulating the fee payer of a tempo/charge handler into paying for requests (missing sender signature before co-signing)
  • Bypassing tempo/session voucher signature verification
  • Piggybacking off existing tempo/session channels via settle voucher reuse and weak channel ID binding
  • Performing free tempo/session requests by exploiting channel reopen without on-chain settled state
  • Accepting deductions on finalized tempo/session channels
  • Bypassing payment on free routes via method-mismatch fallback
  • Griefing tempo/session channels via force-close detection bypass (closeRequestedAt not persisted)

Patches

Fixed in 0.4.8.

Workarounds

There are no workarounds available for these vulnerabilities.

Correção

Insufficient Verification of Data Authenticity

Authentication Bypass Using an Alternate Path or Channel

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-345CWE-288CWE-294

Identificadores relacionados

GHSA-8X4M-QW58-3PCX

Produtos afetados

Mppx