Security Vulnerability Report
中文
CVE-2026-34209 CVSS 7.5 HIGH

CVE-2026-34209

Published: 2026-03-31 15:16:18
Last Modified: 2026-04-03 15:59:37
Source: [email protected]

Description

mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using "<" instead of "<=" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:wevm:mppx:*:*:*:*:*:node.js:*:* - VULNERABLE
mppx < 0.4.11

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// Vulnerable Concept in TypeScript // mppx/src/tempo/session.ts (Conceptual) function validateCloseVoucher(voucherAmount: number, settledAmount: number): boolean { // FLAWED LOGIC: The code allowed equality when it should have been strict // or used '<' where '<=' was required based on the prompt description context. // This allows closing the channel for free if amounts are equal. if (voucherAmount <= settledAmount) { return true; // Accepted } return false; } // Exploit Scenario const onChainSettledAmount = 1000; const attackerVoucherAmount = 1000; // Exact amount if (validateCloseVoucher(attackerVoucherAmount, onChainSettledAmount)) { console.log("Voucher accepted. Closing channel without new funds."); // closeChannel(); }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-34209", "sourceIdentifier": "[email protected]", "published": "2026-03-31T15:16:18.030", "lastModified": "2026-04-03T15:59:37.143", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using \"<\" instead of \"<=\" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-294"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wevm:mppx:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "0.4.11", "matchCriteriaId": "72D62258-34DE-453F-8DFC-D25FA285D537"}]}]}], "references": [{"url": "https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/wevm/mppx/releases/tag/[email protected]", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/wevm/mppx/security/advisories/GHSA-mv9j-8jvg-j8mr", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.