GHSA-8x4m-qw58-3pcx

Suggest an improvement
Source
https://github.com/advisories/GHSA-8x4m-qw58-3pcx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-8x4m-qw58-3pcx/GHSA-8x4m-qw58-3pcx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8x4m-qw58-3pcx
Published
2026-03-29T15:15:36Z
Modified
2026-03-29T15:35:52.545768Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N CVSS Calculator
Summary
mppx has multiple payment bypass and griefing vulnerabilities
Details

Impact

Multiple vulnerabilities were discovered in tempo/charge and tempo/session which allowed for undesirable behaviors, including: - Replaying tempo/charge transaction hashes across push/pull modes, across charge/session endpoints, and via concurrent requests - Performing free tempo/charge requests due to missing transfer log verification in pull-mode - Replaying tempo/charge credentials across routes via cross-route scope confusion (memo/splits not included in scope binding) - Manipulating the fee payer of a tempo/charge handler into paying for requests (missing sender signature before co-signing) - Bypassing tempo/session voucher signature verification - Piggybacking off existing tempo/session channels via settle voucher reuse and weak channel ID binding - Performing free tempo/session requests by exploiting channel reopen without on-chain settled state - Accepting deductions on finalized tempo/session channels - Bypassing payment on free routes via method-mismatch fallback - Griefing tempo/session channels via force-close detection bypass (closeRequestedAt not persisted)

Patches

Fixed in 0.4.8.

Workarounds

There are no workarounds available for these vulnerabilities.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-29T15:15:36Z",
    "cwe_ids": [
        "CWE-288",
        "CWE-294",
        "CWE-345"
    ],
    "severity": "CRITICAL",
    "nvd_published_at": null
}
References

Affected packages

npm / mppx

Package

Name
mppx
View open source insights on deps.dev
Purl
pkg:npm/mppx

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.4.8

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-8x4m-qw58-3pcx/GHSA-8x4m-qw58-3pcx.json"