PT-2026-31362 — Insufficient Verification of Data Authenticity em Crates.Io Mpp

PT-2026-31362 · Crates.Io · Mpp

Publicado

2026-03-29

Atualizado

2026-03-29

CVSS v4.0

9.3

Crítica

Vetor

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N

Multiple vulnerabilities were discovered which allowed for undesirable behaviors, including:

Performing free tempo/charge requests
Replaying existing tempo/charge requests
Performing free tempo/session requests
Piggybacking off existing tempo/session channels
Griefing existing tempo/session channels
Manipulate the fee payer of a tempo/charge or tempo/session handler into paying for requests
Replaying existing stripe/charge requests

The issues are patched in 0.8.0

There are no workarounds available for these vulnerabilities

Correção

Insufficient Verification of Data Authenticity

Authentication Bypass Using an Alternate Path or Channel

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

GHSA-FXC9-7J2W-VX54

Mpp