Executive Summary

This vulnerability affects the mppx npm package versions prior to 0.4.11, specifically in the stripe/charge payment method. The issue is that the system did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. Because of this, an attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept this replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again.

This flaw allows an attacker to pay once but consume unlimited resources by replaying the credential. The root cause is an incorrect comparison in a security-relevant context (CWE-697). The vulnerability was fixed in version 0.4.11 by implementing a check for the Idempotent-Replayed header and rejecting replayed PaymentIntents.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to exploit the payment system by replaying a valid payment credential multiple times without being charged again. As a result, the attacker can consume unlimited resources or services that require payment, effectively bypassing payment requirements.

This can lead to financial losses, resource exhaustion, and potential disruption of service availability due to unauthorized consumption.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring the Stripe PaymentIntent creation process for the presence of the 'idempotent-replayed' response header returned by Stripe. The patched version (0.4.11) inspects this header to identify replayed payment requests.

To detect potential exploitation, you can check logs or intercept network traffic for repeated PaymentIntent creation requests with the same spt token or idempotency key.

Since the vulnerability involves replayed Stripe PaymentIntents, commands or scripts that analyze your application logs or Stripe API responses for the 'idempotent-replayed' header or repeated payment attempts with identical tokens can help detect this issue.

Specific commands depend on your environment, but examples include:

• Using grep or similar tools to search logs for 'idempotent-replayed' or repeated spt tokens: `grep -i "idempotent-replayed" /path/to/logs`
• Monitoring network traffic with tools like tcpdump or Wireshark to capture Stripe API responses and inspect headers for 'idempotent-replayed'.
• Implementing application-level logging to record Stripe response headers during PaymentIntent creation for later analysis.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade the mppx package to version 0.4.11 or later, where the vulnerability has been patched.

This update includes a check for Stripe's 'idempotent-replayed' response header and rejects replayed PaymentIntents, preventing attackers from reusing valid credentials to consume unlimited resources.

There are no known workarounds other than applying the patch.

Additionally, review your payment processing logs for any suspicious replayed payment attempts and consider implementing monitoring to detect such activity.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0