Skip to main content

CVE-2026-34210

MEDIUM
Incorrect Comparison (CWE-697)
2026-03-29 https://github.com/wevm/mppx GHSA-8mhj-rffc-rcvw
6.0
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 29, 2026 - 15:30 vuln.today
Patch released
Mar 29, 2026 - 15:30 nvd
Patch available
CVE Published
Mar 29, 2026 - 15:11 nvd
MEDIUM 6.0

DescriptionGitHub Advisory

Impact

The stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential.

Patches

Fixed in 0.4.11. The server now checks the Idempotent-Replayed header and rejects replayed PaymentIntents.

Workarounds

There are no workarounds available for this vulnerability.

AnalysisAI

Stripe PaymentIntent replay vulnerability in mppx payment handler allows attackers to bypass idempotency checks and consume resources by replaying captured Stripe credentials against new challenges without actual charges. The vulnerability affects mppx versions prior to 0.4.11, where the server failed to validate Stripe's Idempotent-Replayed response header during PaymentIntent creation, enabling unlimited resource consumption from a single valid payment credential.

Technical ContextAI

The vulnerability exists in mppx's stripe/charge payment method implementation, which handles Stripe PaymentIntent creation as part of a payment authentication flow. Stripe's API implements idempotency protection via the Idempotent-Replayed response header to prevent duplicate charges when identical requests are retransmitted. The affected code did not inspect this header, allowing an attacker who obtains a valid Stripe payment token (spt) to reuse it across multiple payment challenges. This is a server-side validation failure (CWE-697: Incorrect Comparison) where the application fails to properly verify Stripe's cryptographic proof that a PaymentIntent has already been processed, treating replayed intents as new successful transactions.

RemediationAI

Upgrade mppx to version 0.4.11 or later. The patched version now validates the Idempotent-Replayed header returned by Stripe's API and rejects PaymentIntents that have already been processed. No workarounds are available for earlier versions; immediate patching is required for deployments using the stripe/charge payment method. Refer to the official advisory at https://github.com/wevm/mppx/security/advisories/GHSA-8mhj-rffc-rcvw for detailed upgrade instructions.

Share

CVE-2026-34210 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy