PT-2026-31361 · Npm · Mppx

Published

2026-03-29

·

Updated

2026-03-29

CVSS v4.0

9.3

Critical

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N

Impact

Multiple vulnerabilities were discovered in tempo/charge and tempo/session which allowed for undesirable behaviors, including:
  • Replaying tempo/charge transaction hashes across push/pull modes, across charge/session endpoints, and via concurrent requests
  • Performing free tempo/charge requests due to missing transfer log verification in pull-mode
  • Replaying tempo/charge credentials across routes via cross-route scope confusion (memo/splits not included in scope binding)
  • Manipulating the fee payer of a tempo/charge handler into paying for requests (missing sender signature before co-signing)
  • Bypassing tempo/session voucher signature verification
  • Piggybacking off existing tempo/session channels via settle voucher reuse and weak channel ID binding
  • Performing free tempo/session requests by exploiting channel reopen without on-chain settled state
  • Accepting deductions on finalized tempo/session channels
  • Bypassing payment on free routes via method-mismatch fallback
  • Griefing tempo/session channels via force-close detection bypass (closeRequestedAt not persisted)

Patches

Fixed in 0.4.8.

Workarounds

There are no workarounds available for these vulnerabilities.

Fix

Insufficient Verification of Data Authenticity

Authentication Bypass Using an Alternate Path or Channel

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-345CWE-288CWE-294

Related Identifiers

GHSA-8X4M-QW58-3PCX

Affected Products

Mppx