PT-2026-31362 — Insufficient Verification of Data Authenticity in Crates.Io Mpp

PT-2026-31362 · Crates.Io · Mpp

Published

2026-03-29

Updated

2026-03-29

CVSS v4.0

9.3

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N

Multiple vulnerabilities were discovered which allowed for undesirable behaviors, including:

Performing free tempo/charge requests
Replaying existing tempo/charge requests
Performing free tempo/session requests
Piggybacking off existing tempo/session channels
Griefing existing tempo/session channels
Manipulate the fee payer of a tempo/charge or tempo/session handler into paying for requests
Replaying existing stripe/charge requests

The issues are patched in 0.8.0

There are no workarounds available for these vulnerabilities

Fix

Insufficient Verification of Data Authenticity

Authentication Bypass Using an Alternate Path or Channel

Found an issue in the description? Have something to add? Feel free to write us 👾

GHSA-FXC9-7J2W-VX54

Mpp