mppx has Stripe charge credential replay via missing idempotency check

6 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Description

mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential. This issue has been patched in version 0.4.11.

Basic Information

ID CVE-2026-34210

Source GitHub_M

Published Mar 31, 2026 at 14:10

Modified Mar 31, 2026 at 18:53

Affected Product

Vendor wevm

Product mppx

Version < 0.4.11

Affected Versions wevm mppx < 0.4.11

CWE Classification

CWE-697

References

{
    "lastseen": "",
    "description": "mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential. This issue has been patched in version 0.4.11.",
    "published": "2026-03-31T14:10:10.463Z",
    "modified": "2026-03-31T18:53:01.611Z",
    "type": "cve",
    "title": "mppx has Stripe charge credential replay via missing idempotency check",
    "source": "GitHub_M",
    "references": "https://github.com/wevm/mppx/security/advisories/GHSA-8mhj-rffc-rcvw\nhttps://github.com/wevm/mppx/commit/b2b1a0b60506fc71aa80b8a025084949dca1a994\nhttps://github.com/wevm/mppx/releases/tag/[email protected]",
    "id": "CVE-2026-34210",
    "bulletinFamily": "",
    "cwe": [
        "CWE-697"
    ],
    "cvelist": null,
    "sourceData": "wevm mppx < 0.4.11",
    "sourceHref": "",
    "cvss": {
        "score": 6,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "mppx",
    "version": "< 0.4.11",
    "vendor": "wevm",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

mppx has Stripe charge credential replay via missing idempotency check_CVE-2026-34210