GHSA-8mhj-rffc-rcvw

Suggest an improvement
Source
https://github.com/advisories/GHSA-8mhj-rffc-rcvw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-8mhj-rffc-rcvw/GHSA-8mhj-rffc-rcvw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8mhj-rffc-rcvw
Aliases
  • CVE-2026-34210
Published
2026-03-29T15:11:30Z
Modified
2026-03-29T15:16:47.395468Z
Severity
  • 6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
mppx has Stripe charge credential replay via missing idempotency check
Details

Impact

The stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential.

Patches

Fixed in 0.4.11. The server now checks the Idempotent-Replayed header and rejects replayed PaymentIntents.

Workarounds

There are no workarounds available for this vulnerability.

Database specific 
{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-697"
    ],
    "nvd_published_at": null,
    "github_reviewed_at": "2026-03-29T15:11:30Z",
    "severity": "MODERATE"
}
References

Affected packages

npm / mppx

Package

Name
mppx
View open source insights on deps.dev
Purl
pkg:npm/mppx

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.4.11

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-8mhj-rffc-rcvw/GHSA-8mhj-rffc-rcvw.json"