Skip to main content

CVE-2026-34209

HIGH
Authentication Bypass by Capture-replay (CWE-294)
2026-03-29 https://github.com/wevm/mppx GHSA-mv9j-8jvg-j8mr
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 29, 2026 - 15:30 vuln.today
Patch released
Mar 29, 2026 - 15:30 nvd
Patch available
CVE Published
Mar 29, 2026 - 15:10 nvd
HIGH 7.5

DescriptionGitHub Advisory

Impact

The tempo/session cooperative close handler validated the close voucher amount using < instead of <= against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free.

Patches

Fixed in 0.4.11.

Workarounds

There are no workarounds available for this vulnerability.

AnalysisAI

A logic error in the mppx npm package (versions <0.4.11) allows remote attackers to close payment channels without committing funds by exploiting an off-by-one validation flaw in the tempo/session cooperative close handler. The handler incorrectly used '<' instead of '<=' when validating close voucher amounts against settled on-chain amounts, enabling attackers to submit vouchers exactly equal to settled amounts for free channel closure or griefing attacks. No active exploitation confirmed (CISA KEV), but publicly available patch and detailed advisory increase exploitation risk. CVSS 7.5 (High) reflects network-accessible, low-complexity attack requiring no authentication.

Technical ContextAI

This vulnerability affects the mppx package, a Node.js/npm library implementing payment channel primitives. Payment channels are cryptographic constructs that allow parties to conduct multiple off-chain transactions before settling final balances on-chain. The tempo/session cooperative close handler is responsible for validating close vouchers-cryptographic proofs of agreed channel closure amounts-before executing channel settlement. The root cause is CWE-294 (Authentication Bypass by Capture-replay), manifesting as an off-by-one comparison error. The code validated voucher amounts using a strict less-than comparison (amount < settled_amount) instead of less-than-or-equal-to (amount <= settled_amount). This boundary condition error meant vouchers with amounts exactly equal to the settled amount would pass validation without requiring the attacker to lock any additional funds, violating the protocol's economic security model. The affected package is distributed via npm under the identifier pkg:npm/mppx.

RemediationAI

Vendor-released patch: Upgrade to mppx version 0.4.11 or later immediately. The fix is available via npm package manager by updating package dependencies to mppx@0.4.11, released at https://github.com/wevm/mppx/releases/tag/mppx@0.4.11. The specific patch commit correcting the comparison operator from less-than to less-than-or-equal-to is available at https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb for code review. No workarounds exist according to the vendor advisory-upgrading to the patched version is the only remediation path. Organizations should verify the update is applied across all environments using mppx for payment channel operations and test channel closure functionality post-upgrade to ensure proper validation behavior.

Share

CVE-2026-34209 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy