CVE-2026-34210
MEDIUM
GHSA-8mhj-rffc-rcvw
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Description
### Impact The `stripe/charge` payment method did not check Stripe's `Idempotent-Replayed` response header when creating PaymentIntents. An attacker could replay a valid credential containing the same `spt` token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential. ### Patches Fixed in 0.4.11. The server now checks the `Idempotent-Replayed` header and rejects replayed PaymentIntents. ### Workarounds There are no workarounds available for this vulnerability.
Analysis
Stripe PaymentIntent replay vulnerability in mppx payment handler allows attackers to bypass idempotency checks and consume resources by replaying captured Stripe credentials against new challenges without actual charges. The vulnerability affects mppx versions prior to 0.4.11, where the server failed to validate Stripe's Idempotent-Replayed response header during PaymentIntent creation, enabling unlimited resource consumption from a single valid payment credential.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today