Description
mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential. This issue has been patched in version 0.4.11.
Published: 2026-03-31
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized payment reuse via credential replay
Action: Patch immediately
AI Analysis

Impact

mppx, a TypeScript interface for machine payments, fails to check Stripe’s Idempotent-Replayed header when creating PaymentIntents. As a result an attacker who holds a valid credential containing an spt token can resend the same credential in a new request. The server accepts the replayed Stripe PaymentIntent as a fresh transaction, charging the customer only once while allowing the attacker to consume unlimited resources. The likely attack vector is an API request that reuses the same credential with a new challenge; this is inferred from the description of replaying a credential against a new challenge.

Affected Systems

The vulnerability exists in versions of wevm’s mppx prior to 0.4.11. Any deployment that incorporates the stripe/charge payment method and has not upgraded to version 0.4.11 is susceptible. The patch was released in the 0.4.11 release and removes the missing idempotency check.

Risk and Exploitability

The common vulnerability scoring system assigns a CVSS score of 6, indicating moderate severity. The EPSS score is below 1 %, suggesting a low likelihood of exploitation in the wild, and the issue is not listed in the CISA KEV catalog. An attacker can exploit the flaw by sending a replayed API request with a valid spt token; no special hardware or privileged access is required beyond possession of the credential. While the risk of exploitation is considered moderate, the impact of successful attacks could be substantial for affected payment services.

Generated by OpenCVE AI on April 3, 2026 at 19:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade wevm mppx to version 0.4.11 or later

Generated by OpenCVE AI on April 3, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8mhj-rffc-rcvw mppx has Stripe charge credential replay via missing idempotency check
History

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wevm:mppx:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Wevm
Wevm mppx
Vendors & Products Wevm
Wevm mppx

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential. This issue has been patched in version 0.4.11.
Title mppx has Stripe charge credential replay via missing idempotency check
Weaknesses CWE-697
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wevm Mppx
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T18:53:01.611Z

Reserved: 2026-03-26T15:57:52.324Z

Link: CVE-2026-34210

cve-icon Vulnrichment

Updated: 2026-03-31T18:50:25.187Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T15:16:18.207

Modified: 2026-04-03T16:17:49.840

Link: CVE-2026-34210

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:17:43Z

Weaknesses