CVE-2026-34210

UNKNOWN 0.0

mppx has Stripe charge credential replay via missing idempotency check

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential. This issue has been patched in version 0.4.11.

CWE	CWE-697
Vendor	wevm
Product	mppx
Published	Mar 31, 2026
Last Updated	Mar 31, 2026

Stay Ahead of the Next One

Get instant alerts for wevm mppx

Be the first to know when new unknown vulnerabilities affecting wevm mppx are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

wevm / mppx

< 0.4.11

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/wevm/mppx/security/advisories/GHSA-8mhj-rffc-rcvw github.com: https://github.com/wevm/mppx/commit/b2b1a0b60506fc71aa80b8a025084949dca1a994 github.com: https://github.com/wevm/mppx/releases/tag/[email protected]