Platform
nodejs
Component
mppx
Fixed in
0.4.12
0.4.11
CVE-2026-34210 is a payment replay vulnerability discovered in the mppx library. This flaw allows attackers to replay valid Stripe PaymentIntent credentials, potentially leading to unlimited resource consumption without incurring additional charges. The vulnerability affects versions of mppx prior to 0.4.11, and a patch has been released to address the issue.
The core of the vulnerability lies in the stripe/charge payment method's failure to validate the Idempotent-Replayed header from Stripe. An attacker possessing a valid credential (containing the spt token) can repeatedly submit this credential against a new challenge. The server, lacking proper validation, will incorrectly process these replayed credentials as new, successful payments. This enables an attacker to effectively consume resources without paying, potentially leading to significant financial and operational impacts for the affected application. The potential for abuse is high, as the attacker can repeatedly trigger payment processing without incurring costs, leading to denial of service or resource exhaustion.
This vulnerability was publicly disclosed on 2026-03-29. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The probability of exploitation is considered medium due to the relatively straightforward nature of the attack and the potential for significant impact.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
The primary mitigation for CVE-2026-34210 is to upgrade to version 0.4.11 or later of the mppx library. This version includes a check for the Idempotent-Replayed header, preventing the replay of PaymentIntents. If an immediate upgrade is not feasible, consider implementing a temporary workaround by adding a check in your application code to verify the Idempotent-Replayed header before processing Stripe PaymentIntents. This check should reject requests with the header set. Thoroughly test any workaround before deploying it to production. After upgrading, confirm the fix by attempting to replay a previously successful PaymentIntent credential – it should be rejected.
Update the version of mppx to 0.4.11 or higher. This version fixes the Stripe credential replay vulnerability by implementing verification of Stripe's `Idempotent-Replayed` response header. By updating, you ensure that payments cannot be replayed by attackers to consume unlimited resources without additional charges.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34210 is a vulnerability in the mppx library that allows attackers to replay Stripe PaymentIntents without incurring charges, potentially leading to resource exhaustion.
You are affected if you are using mppx versions prior to 0.4.11 and utilize the stripe/charge payment method without validating the Idempotent-Replayed header.
Upgrade to version 0.4.11 or later of the mppx library. If immediate upgrade is not possible, implement a temporary workaround to validate the Idempotent-Replayed header.
There is no confirmed active exploitation of CVE-2026-34210 at this time, but the potential for abuse is significant.
Refer to the mppx project's release notes and documentation for details regarding this vulnerability and the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.