CVE-2026-34210
Replay Attack in mppx Stripe PaymentIntents Allows Resource Abuse
Publication date: 2026-03-31
Last updated on: 2026-04-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wevm | mppx | to 0.4.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-697 | The product compares two entities in a security-relevant context, but the comparison is incorrect. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability affects the mppx npm package versions prior to 0.4.11, specifically in the stripe/charge payment method. The issue is that the system did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. Because of this, an attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept this replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again.
This flaw allows an attacker to pay once but consume unlimited resources by replaying the credential. The root cause is an incorrect comparison in a security-relevant context (CWE-697). The vulnerability was fixed in version 0.4.11 by implementing a check for the Idempotent-Replayed header and rejecting replayed PaymentIntents.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to exploit the payment system by replaying a valid payment credential multiple times without being charged again. As a result, the attacker can consume unlimited resources or services that require payment, effectively bypassing payment requirements.
This can lead to financial losses, resource exhaustion, and potential disruption of service availability due to unauthorized consumption.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the Stripe PaymentIntent creation process for the presence of the 'idempotent-replayed' response header returned by Stripe. The patched version (0.4.11) inspects this header to identify replayed payment requests.
To detect potential exploitation, you can check logs or intercept network traffic for repeated PaymentIntent creation requests with the same spt token or idempotency key.
Since the vulnerability involves replayed Stripe PaymentIntents, commands or scripts that analyze your application logs or Stripe API responses for the 'idempotent-replayed' header or repeated payment attempts with identical tokens can help detect this issue.
Specific commands depend on your environment, but examples include:
- Using grep or similar tools to search logs for 'idempotent-replayed' or repeated spt tokens: `grep -i "idempotent-replayed" /path/to/logs`
- Monitoring network traffic with tools like tcpdump or Wireshark to capture Stripe API responses and inspect headers for 'idempotent-replayed'.
- Implementing application-level logging to record Stripe response headers during PaymentIntent creation for later analysis.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade the mppx package to version 0.4.11 or later, where the vulnerability has been patched.
This update includes a check for Stripe's 'idempotent-replayed' response header and rejects replayed PaymentIntents, preventing attackers from reusing valid credentials to consume unlimited resources.
There are no known workarounds other than applying the patch.
Additionally, review your payment processing logs for any suspicious replayed payment attempts and consider implementing monitoring to detect such activity.