Plateforme
nodejs
Composant
mppx
Corrigé dans
0.4.12
0.4.11
CVE-2026-34210 is a payment replay vulnerability discovered in the mppx library. This flaw allows attackers to replay valid Stripe PaymentIntent credentials, potentially leading to unlimited resource consumption without incurring additional charges. The vulnerability affects versions of mppx prior to 0.4.11, and a patch has been released to address the issue.
The core of the vulnerability lies in the stripe/charge payment method's failure to validate the Idempotent-Replayed header from Stripe. An attacker possessing a valid credential (containing the spt token) can repeatedly submit this credential against a new challenge. The server, lacking proper validation, will incorrectly process these replayed credentials as new, successful payments. This enables an attacker to effectively consume resources without paying, potentially leading to significant financial and operational impacts for the affected application. The potential for abuse is high, as the attacker can repeatedly trigger payment processing without incurring costs, leading to denial of service or resource exhaustion.
This vulnerability was publicly disclosed on 2026-03-29. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The probability of exploitation is considered medium due to the relatively straightforward nature of the attack and the potential for significant impact.
Applications utilizing the mppx library for Stripe payment processing are at risk, particularly those relying on the stripe/charge payment method without proper validation of the Idempotent-Replayed header. This includes applications with custom payment integrations and those using older versions of mppx.
• nodejs / server:
npm list mppx• nodejs / server:
grep -r 'stripe/charge' . --include=*.js | grep 'Idempotent-Replayed'• nodejs / server:
npm audit mppxdisclosure
Statut de l'Exploit
EPSS
0.04% (percentile 13%)
CISA SSVC
The primary mitigation for CVE-2026-34210 is to upgrade to version 0.4.11 or later of the mppx library. This version includes a check for the Idempotent-Replayed header, preventing the replay of PaymentIntents. If an immediate upgrade is not feasible, consider implementing a temporary workaround by adding a check in your application code to verify the Idempotent-Replayed header before processing Stripe PaymentIntents. This check should reject requests with the header set. Thoroughly test any workaround before deploying it to production. After upgrading, confirm the fix by attempting to replay a previously successful PaymentIntent credential – it should be rejected.
Actualice la versión de mppx a la 0.4.11 o superior. Esta versión corrige la vulnerabilidad de reutilización de credenciales de Stripe al implementar la verificación del encabezado de respuesta Idempotent-Replayed de Stripe. Al actualizar, se asegura de que los pagos no puedan ser repetidos por atacantes para consumir recursos ilimitados sin cargos adicionales.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-34210 is a vulnerability in the mppx library that allows attackers to replay Stripe PaymentIntents without incurring charges, potentially leading to resource exhaustion.
You are affected if you are using mppx versions prior to 0.4.11 and utilize the stripe/charge payment method without validating the Idempotent-Replayed header.
Upgrade to version 0.4.11 or later of the mppx library. If immediate upgrade is not possible, implement a temporary workaround to validate the Idempotent-Replayed header.
There is no confirmed active exploitation of CVE-2026-34210 at this time, but the potential for abuse is significant.
Refer to the mppx project's release notes and documentation for details regarding this vulnerability and the fix.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.