CVE-2026-34210

Name of the Vulnerable Software and Affected Versions mppx versions prior to 0.4.11

Description mppx is a TypeScript interface for machine payments protocol. The stripe/charge payment method did not validate Stripe's Idempotent-Replayed response header when creating PaymentIntents. This allowed an attacker to replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This enabled an attacker to pay once and consume unlimited resources by replaying the credential. The affected API endpoint is the stripe/charge payment method.

Recommendations Update to version 0.4.11 or later.