13 matches found
Improper Input Validation
mppx is vulnerable to improper input validation. The vulnerability is due to improper validation in the cooperative close handler, where the close voucher amount was checked using “” instead of “=” against the on-chain settled amount, which allows an attacker to submit a close voucher equal to th...
CVE-2026-34209
mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using "" instead of "=" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled...
CVE-2026-34210 mppx has Stripe charge credential replay via missing idempotency check
mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new...
mppx 安全漏洞
MPPX is a blockchain-based payment protocol SDK developed by Wevm. Versions of MPPX prior to 0.4.11 contained security vulnerabilities. These vulnerabilities stemmed from the stripe/charge payment method not checking Stripe’s Idempotent-Replayed response header, which could allow attackers to...
@0xsquid/mpp (>=0.1.1-beta.1 <=0.2.0), @agentmall/mcp (>=0.1.2 <=0.1.3) +84 more potentially affected by unknown CVE via mppx (>=0.1.1 <=0.4.12)
mppx NPM version =0.1.1, =0.1.1-beta.1, =0.1.2, =0.1.1, =0.1.1, =0.22.26, =4.13.0, =1.0.1, =1.0.1, =1.2.4, =1.0.1, =1.0.1, =1.0.1, =0.2.0, =12.0.1, =12.1.0 and more Source cves: unknown CVE Source advisory: SNYK:JS-MPPX-15857153...
Replay Attack
Overview mppx is a /picture Affected versions of this package are vulnerable to Replay Attack through the tempo/charge and tempo/session. An attacker can gain unauthorized access or perform unauthorized actions by replaying transaction hashes, bypassing signature verification, manipulating fee...
@0xsquid/mpp (>=0.1.1-beta.1 <=0.2.0), @agentmall/mcp (>=0.1.2 <=0.1.3) +84 more potentially affected by unknown CVE via mppx (>=0.1.1 <=0.4.12)
mppx NPM version =0.1.1, =0.1.1-beta.1, =0.1.2, =0.1.1, =0.1.1, =0.22.26, =4.13.0, =1.0.1, =1.0.1, =1.2.4, =1.0.1, =1.0.1, =1.0.1, =0.2.0, =12.0.1, =12.1.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-8X4M-QW58-3PCX...
Replay Attack
Overview mppx is a /picture Affected versions of this package are vulnerable to Replay Attack via the stripe/charge file. An attacker can consume unlimited resources by replaying a valid credential containing the same spt token against a new challenge, causing the server to accept the replayed...
@0xsquid/mpp (>=0.1.1-beta.1 <=0.2.0), @okxweb3/mpp (=0.1.0) +2 more potentially affected by CVE-2026-34210 via mppx (>=0.1.1 <=0.3.16)
mppx NPM version =0.1.1, =0.1.1-beta.1, =0.0.0-pr-153-20260307193247, =0.1.0, =0.1.4 Source cves: CVE-2026-34210 Source advisory: SNYK:JS-MPPX-15857146...
@0xsquid/mpp (>=0.1.1-beta.1 <=0.2.0), @okxweb3/mpp (=0.1.0) +2 more potentially affected by CVE-2026-34210 via mppx (>=0.1.1 <=0.3.16)
mppx NPM version =0.1.1, =0.1.1-beta.1, =0.0.0-pr-153-20260307193247, =0.1.0, =0.1.4 Source cves: CVE-2026-34210 Source advisory: OSV:GHSA-8MHJ-RFFC-RCVW...
@0xsquid/mpp (>=0.1.1-beta.1 <=0.2.0), @okxweb3/mpp (=0.1.0) +2 more potentially affected by CVE-2026-34209 via mppx (>=0.1.1 <=0.3.16)
mppx NPM version =0.1.1, =0.1.1-beta.1, =0.0.0-pr-153-20260307193247, =0.1.0, =0.1.4 Source cves: CVE-2026-34209 Source advisory: SNYK:JS-MPPX-15857147...
@0xsquid/mpp (>=0.1.1-beta.1 <=0.2.0), @okxweb3/mpp (=0.1.0) +2 more potentially affected by CVE-2026-34209 via mppx (>=0.1.1 <=0.3.16)
mppx NPM version =0.1.1, =0.1.1-beta.1, =0.0.0-pr-153-20260307193247, =0.1.0, =0.1.4 Source cves: CVE-2026-34209 Source advisory: OSV:GHSA-MV9J-8JVG-J8MR...
Replay Attack
Overview mppx is a /picture Affected versions of this package are vulnerable to Replay Attack in the tempo/session cooperative close handler due to improper validation of the close voucher amount. An attacker can bypass intended restrictions by submitting a close voucher with an amount exactly...