CVE-2026-34209
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
The tempo/session cooperative close handler validated the close voucher amount using < instead of <= against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free.
Patches
Fixed in 0.4.11.
Workarounds
There are no workarounds available for this vulnerability.
AnalysisAI
A logic error in the mppx npm package (versions <0.4.11) allows remote attackers to close payment channels without committing funds by exploiting an off-by-one validation flaw in the tempo/session cooperative close handler. The handler incorrectly used '<' instead of '<=' when validating close voucher amounts against settled on-chain amounts, enabling attackers to submit vouchers exactly equal to settled amounts for free channel closure or griefing attacks. No active exploitation confirmed (CISA KEV), but publicly available patch and detailed advisory increase exploitation risk. CVSS 7.5 (High) reflects network-accessible, low-complexity attack requiring no authentication.
Technical ContextAI
This vulnerability affects the mppx package, a Node.js/npm library implementing payment channel primitives. Payment channels are cryptographic constructs that allow parties to conduct multiple off-chain transactions before settling final balances on-chain. The tempo/session cooperative close handler is responsible for validating close vouchers-cryptographic proofs of agreed channel closure amounts-before executing channel settlement. The root cause is CWE-294 (Authentication Bypass by Capture-replay), manifesting as an off-by-one comparison error. The code validated voucher amounts using a strict less-than comparison (amount < settled_amount) instead of less-than-or-equal-to (amount <= settled_amount). This boundary condition error meant vouchers with amounts exactly equal to the settled amount would pass validation without requiring the attacker to lock any additional funds, violating the protocol's economic security model. The affected package is distributed via npm under the identifier pkg:npm/mppx.
RemediationAI
Vendor-released patch: Upgrade to mppx version 0.4.11 or later immediately. The fix is available via npm package manager by updating package dependencies to mppx@0.4.11, released at https://github.com/wevm/mppx/releases/tag/mppx@0.4.11. The specific patch commit correcting the comparison operator from less-than to less-than-or-equal-to is available at https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb for code review. No workarounds exist according to the vendor advisory-upgrading to the patched version is the only remediation path. Organizations should verify the update is applied across all environments using mppx for payment channel operations and test channel closure functionality post-upgrade to ensure proper validation behavior.
Same weakness CWE-294 – Authentication Bypass by Capture-replay
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-mv9j-8jvg-j8mr