What is credential replay?

Credential replay is an attack where an attacker intercepts and reuses valid authentication credentials to gain unauthorized access. In the context of CVE-2026-34210, a valid Stripe PaymentIntent credential could be replayed to create new successful payments without actually charging the customer again.

What are payment bypass vulnerabilities?

Payment bypass vulnerabilities allow attackers to circumvent payment processes and access resources or services without paying for them. GHSA-8x4m-qw58-3pcx describes multiple payment bypass vulnerabilities in `mppx`'s `tempo/charge` and `tempo/session` functionalities.

How do I update mppx?

You can update the `mppx` package using the `npm update mppx` command. This command will update `mppx` to the latest version that satisfies the version range specified in your `package.json` file. To ensure you have the patched version, verify the installed version using `npm list mppx`.

What versions of mppx are vulnerable?

Versions of `mppx` prior to 0.4.11 are vulnerable to CVE-2026-34210, which involves Stripe charge credential replay. Versions prior to 0.4.8 are vulnerable to GHSA-8x4m-qw58-3pcx, which encompasses multiple payment bypass and griefing vulnerabilities.

NextGuard

Back to blog

CVSS 9.5CVE-2026-34210GHSA-8x4m-qw58-3pcx

Mppx Payment Bypass and Credential Replay Vulnerabilities (2026)

Critical vulnerabilities in mppx nodejs package allow payment bypass and credential replay. Update to versions 0.4.11 and 0.4.8 immediately to mitigate risks.

Published on April 3, 2026

Multiple vulnerabilities have been discovered in the `mppx` nodejs package, potentially allowing for payment bypass and credential replay attacks. These vulnerabilities could allow attackers to consume resources without payment or manipulate payment processes. Patches are available in versions 0.4.11 and 0.4.8 to address these issues.

One vulnerability has a CVSS score of 9.5, indicating critical severity and high exploitability.

What is Mppx?

Mppx is a component for nodejs, likely used for payment processing or related functionalities within nodejs applications. It handles charge transactions and session management. To learn more, you can search all mppx CVEs.

CVE-2026-34210: Mppx Stripe Charge Credential Replay

CVSS0.0

Affected versionsUsers using versions prior to 0.4.11 are affected if they use the `stripe/charge` payment method.

No CVSS score provided.

EPSS score of 0.04 suggests low exploitability.

The `stripe/charge` payment method in `mppx` lacked a check for Stripe's `Idempotent-Replayed` response header. An attacker could replay a valid credential, using the same `spt` token, against a new challenge, leading the server to accept the replayed Stripe PaymentIntent as a new successful payment without additional charges.

How to fix CVE-2026-34210 in Mppx

Patch immediately

1.Update the `mppx` package to version 0.4.11 or later.

Update mppx

npm update mppx

Verify with:

verify

npm list mppx

Workaround: There are no workarounds available for this vulnerability.

NextGuard automatically flags CVE-2026-34210 if Mppx appears in any of your monitored projects — no manual lookup required.

GHSA-8x4m-qw58-3pcx: Mppx Multiple Payment Bypass and Griefing Vulnerabilities

CVSS9.5

Affected versionsUsers using versions prior to 0.4.8 are affected if they use the `tempo/charge` and `tempo/session` functionalities.

Critical severity, high exploitability.

No EPSS score provided.

Multiple vulnerabilities were discovered in `tempo/charge` and `tempo/session` within `mppx`, allowing attackers to bypass payments and grief channels. These include replaying transaction hashes, performing free requests, manipulating fee payers, and bypassing voucher signature verification.

How to fix GHSA-8x4m-qw58-3pcx in Mppx

Patch immediately

1.Update the `mppx` package to version 0.4.8 or later.

Update mppx

npm update mppx

Verify with:

verify

npm list mppx

Workaround: There are no workarounds available for these vulnerabilities.

NextGuard automatically flags GHSA-8x4m-qw58-3pcx if Mppx appears in any of your monitored projects — no manual lookup required.

Stay ahead of nodejs vulnerabilities

Proactively detect and remediate vulnerabilities in your nodejs projects. monitor your nodejs dependencies with NextGuard.

Compare Plans

Frequently asked questions

Critical vulnerabilities in `mppx` require immediate patching to prevent payment bypass and credential replay attacks. Ensure you update to versions 0.4.11 and 0.4.8 to mitigate these risks. see all nodejs vulnerabilities.