CVE-2026-34210

mppx has Stripe charge credential replay via missing idempotency check

CVSS 6 MEDIUMEPSS 0.5%CWE-697

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

31 Mar 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential. This issue has been patched in version 0.4.11.

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected products

wevm · mppx

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/wevm/mppx/commit/b2b1a0b60506fc71aa80b8a025084949dca1a994 https://github.com/wevm/mppx/releases/tag/mppx@0.4.11 https://github.com/wevm/mppx/security/advisories/GHSA-8mhj-rffc-rcvw