{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34210", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-26T15:57:52.324Z", "datePublished": "2026-03-31T14:10:10.463Z", "dateUpdated": "2026-03-31T18:53:01.611Z"}, "containers": {"cna": {"title": "mppx has Stripe charge credential replay via missing idempotency check", "problemTypes": [{"descriptions": [{"cweId": "CWE-697", "lang": "en", "description": "CWE-697: Incorrect Comparison", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/wevm/mppx/security/advisories/GHSA-8mhj-rffc-rcvw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wevm/mppx/security/advisories/GHSA-8mhj-rffc-rcvw"}, {"name": "https://github.com/wevm/mppx/commit/b2b1a0b60506fc71aa80b8a025084949dca1a994", "tags": ["x_refsource_MISC"], "url": "https://github.com/wevm/mppx/commit/b2b1a0b60506fc71aa80b8a025084949dca1a994"}, {"name": "https://github.com/wevm/mppx/releases/tag/mppx@0.4.11", "tags": ["x_refsource_MISC"], "url": "https://github.com/wevm/mppx/releases/tag/mppx@0.4.11"}], "affected": [{"vendor": "wevm", "product": "mppx", "versions": [{"version": "< 0.4.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T14:10:10.463Z"}, "descriptions": [{"lang": "en", "value": "mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential. This issue has been patched in version 0.4.11."}], "source": {"advisory": "GHSA-8mhj-rffc-rcvw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T18:50:24.072789Z", "id": "CVE-2026-34210", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:53:01.611Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34210", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T18:50:24.072789Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:50:25.187Z"}}], "cna": {"title": "mppx has Stripe charge credential replay via missing idempotency check", "source": {"advisory": "GHSA-8mhj-rffc-rcvw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "wevm", "product": "mppx", "versions": [{"status": "affected", "version": "< 0.4.11"}]}], "references": [{"url": "https://github.com/wevm/mppx/security/advisories/GHSA-8mhj-rffc-rcvw", "name": "https://github.com/wevm/mppx/security/advisories/GHSA-8mhj-rffc-rcvw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/wevm/mppx/commit/b2b1a0b60506fc71aa80b8a025084949dca1a994", "name": "https://github.com/wevm/mppx/commit/b2b1a0b60506fc71aa80b8a025084949dca1a994", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/wevm/mppx/releases/tag/mppx@0.4.11", "name": "https://github.com/wevm/mppx/releases/tag/mppx@0.4.11", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential. This issue has been patched in version 0.4.11."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-697", "description": "CWE-697: Incorrect Comparison"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T14:10:10.463Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34210", "state": "PUBLISHED", "dateUpdated": "2026-03-31T18:53:01.611Z", "dateReserved": "2026-03-26T15:57:52.324Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T14:10:10.463Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wevm:mppx:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "72D62258-34DE-453F-8DFC-D25FA285D537", "versionEndExcluding": "0.4.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential. This issue has been patched in version 0.4.11."}], "id": "CVE-2026-34210", "lastModified": "2026-04-03T16:17:49.840", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T15:16:18.207", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/wevm/mppx/commit/b2b1a0b60506fc71aa80b8a025084949dca1a994"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/wevm/mppx/releases/tag/mppx@0.4.11"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/wevm/mppx/security/advisories/GHSA-8mhj-rffc-rcvw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-697"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.4.11)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "mppx", "source": "cna", "vendor": "wevm"}, "product": "mppx", "vendor": "wevm"}], "analysis": {"en": {"generated_at": "2026-04-03T19:24:06.262260+00:00", "value": {"mitigation_remediation": ["Upgrade wevm mppx to version 0.4.11 or later"], "summary": {"action": "Patch immediately", "impact": "Unauthorized payment reuse via credential replay"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in versions of wevm\u2019s mppx prior to 0.4.11. Any deployment that incorporates the stripe/charge payment method and has not upgraded to version 0.4.11 is susceptible. The patch was released in the 0.4.11 release and removes the missing idempotency check.", "description_and_impact": "mppx, a TypeScript interface for machine payments, fails to check Stripe\u2019s Idempotent-Replayed header when creating PaymentIntents. As a result an attacker who holds a valid credential containing an spt token can resend the same credential in a new request. The server accepts the replayed Stripe PaymentIntent as a fresh transaction, charging the customer only once while allowing the attacker to consume unlimited resources. The likely attack vector is an API request that reuses the same credential with a new challenge; this is inferred from the description of replaying a credential against a new challenge.", "risk_and_exploitability": "The common vulnerability scoring system assigns a CVSS score of 6, indicating moderate severity. The EPSS score is below 1\u202f%, suggesting a low likelihood of exploitation in the wild, and the issue is not listed in the CISA KEV catalog. An attacker can exploit the flaw by sending a replayed API request with a valid spt token; no special hardware or privileged access is required beyond possession of the credential. While the risk of exploitation is considered moderate, the impact of successful attacks could be substantial for affected payment services."}}}}, "created": "2026-03-31T19:54:34.127800+00:00", "updated": "2026-04-03T21:17:43.995188+00:00", "vendors": ["wevm", "wevm$PRODUCT$mppx"]}