{"url":"http://public2.vulnerablecode.io/api/packages/981082?format=json","purl":"pkg:npm/mppx@0.1.1","type":"npm","namespace":"","name":"mppx","version":"0.1.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.4.11","latest_non_vulnerable_version":"0.4.11","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/75057?format=json","vulnerability_id":"VCID-7jhx-dvnr-27gg","summary":"mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential. This issue has been patched in version 0.4.11.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34210","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05641","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.0563","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05649","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05656","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34210"},{"reference_url":"https://github.com/wevm/mppx","reference_id":"","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wevm/mppx"},{"reference_url":"https://github.com/wevm/mppx/releases/tag/mppx%400.4.11","reference_id":"","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wevm/mppx/releases/tag/mppx%400.4.11"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34210","reference_id":"","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34210"},{"reference_url":"https://github.com/wevm/mppx/commit/b2b1a0b60506fc71aa80b8a025084949dca1a994","reference_id":"b2b1a0b60506fc71aa80b8a025084949dca1a994","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:24Z/"}],"url":"https://github.com/wevm/mppx/commit/b2b1a0b60506fc71aa80b8a025084949dca1a994"},{"reference_url":"https://github.com/advisories/GHSA-8mhj-rffc-rcvw","reference_id":"GHSA-8mhj-rffc-rcvw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8mhj-rffc-rcvw"},{"reference_url":"https://github.com/wevm/mppx/security/advisories/GHSA-8mhj-rffc-rcvw","reference_id":"GHSA-8mhj-rffc-rcvw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:24Z/"}],"url":"https://github.com/wevm/mppx/security/advisories/GHSA-8mhj-rffc-rcvw"},{"reference_url":"https://github.com/wevm/mppx/releases/tag/mppx@0.4.11","reference_id":"mppx@0.4.11","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:24Z/"}],"url":"https://github.com/wevm/mppx/releases/tag/mppx@0.4.11"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375117?format=json","purl":"pkg:npm/mppx@0.4.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/mppx@0.4.11"}],"aliases":["CVE-2026-34210","GHSA-8mhj-rffc-rcvw"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7jhx-dvnr-27gg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74999?format=json","vulnerability_id":"VCID-7jw1-vjwr-3uff","summary":"mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using \"<\" instead of \"<=\" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34209","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02428","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02431","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02429","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02423","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34209"},{"reference_url":"https://github.com/wevm/mppx","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wevm/mppx"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34209","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34209"},{"reference_url":"https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb","reference_id":"94088246ee18f21b5d6be40d9e7a464f5a280bfb","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:13:21Z/"}],"url":"https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb"},{"reference_url":"https://github.com/advisories/GHSA-mv9j-8jvg-j8mr","reference_id":"GHSA-mv9j-8jvg-j8mr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mv9j-8jvg-j8mr"},{"reference_url":"https://github.com/wevm/mppx/security/advisories/GHSA-mv9j-8jvg-j8mr","reference_id":"GHSA-mv9j-8jvg-j8mr","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:13:21Z/"}],"url":"https://github.com/wevm/mppx/security/advisories/GHSA-mv9j-8jvg-j8mr"},{"reference_url":"https://github.com/wevm/mppx/releases/tag/mppx@0.4.11","reference_id":"mppx@0.4.11","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T15:13:21Z/"}],"url":"https://github.com/wevm/mppx/releases/tag/mppx@0.4.11"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375117?format=json","purl":"pkg:npm/mppx@0.4.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/mppx@0.4.11"}],"aliases":["CVE-2026-34209","GHSA-mv9j-8jvg-j8mr"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7jw1-vjwr-3uff"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360179?format=json","vulnerability_id":"VCID-td5f-p2na-kfdt","summary":"mppx has multiple payment bypass and griefing vulnerabilities\n### Impact\n\nMultiple vulnerabilities were discovered in `tempo/charge` and `tempo/session` which allowed for undesirable behaviors, including:\n- Replaying `tempo/charge` transaction hashes across push/pull modes, across charge/session endpoints, and via concurrent requests\n- Performing free `tempo/charge` requests due to missing transfer log verification in pull-mode\n- Replaying `tempo/charge` credentials across routes via cross-route scope confusion (`memo`/`splits` not included in scope binding)\n- Manipulating the fee payer of a `tempo/charge` handler into paying for requests (missing sender signature before co-signing)\n- Bypassing `tempo/session` voucher signature verification\n- Piggybacking off existing `tempo/session` channels via settle voucher reuse and weak channel ID binding\n- Performing free `tempo/session` requests by exploiting channel reopen without on-chain settled state\n- Accepting deductions on finalized `tempo/session` channels\n- Bypassing payment on free routes via method-mismatch fallback\n- Griefing `tempo/session` channels via force-close detection bypass (`closeRequestedAt` not persisted)\n\n### Patches\n\nFixed in 0.4.8.\n\n### Workarounds\n\nThere are no workarounds available for these vulnerabilities.","references":[{"reference_url":"https://github.com/wevm/mppx","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wevm/mppx"},{"reference_url":"https://github.com/wevm/mppx/security/advisories/GHSA-8x4m-qw58-3pcx","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wevm/mppx/security/advisories/GHSA-8x4m-qw58-3pcx"},{"reference_url":"https://github.com/advisories/GHSA-8x4m-qw58-3pcx","reference_id":"GHSA-8x4m-qw58-3pcx","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8x4m-qw58-3pcx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375193?format=json","purl":"pkg:npm/mppx@0.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7jhx-dvnr-27gg"},{"vulnerability":"VCID-7jw1-vjwr-3uff"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/mppx@0.4.8"}],"aliases":["GHSA-8x4m-qw58-3pcx"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-td5f-p2na-kfdt"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/mppx@0.1.1"}