paypal-ipn before 3.0.0 uses the test_ipn
parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox. With a bit of time, an attacker could craft a request using the simulator that would fool any application which does not explicitly check for test_ipn in production.
[
{
"product": "paypal-ipn node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "<3.0.0"
}
]
}
]