GHSA-fxc9-7j2w-vx54: mpp has multiple payment bypass and griefing vulnerabilities

March 29, 2026

Multiple vulnerabilities were discovered which allowed for undesirable behaviors, including:

Performing free tempo/charge requests
Replaying existing tempo/charge requests
Performing free tempo/session requests
Piggybacking off existing tempo/session channels
Griefing existing tempo/session channels
Manipulate the fee payer of a tempo/charge or tempo/session handler into paying for requests
Replaying existing stripe/charge requests

References

github.com/advisories/GHSA-fxc9-7j2w-vx54
github.com/tempoxyz/mpp-rs
github.com/tempoxyz/mpp-rs/releases/tag/v0.8.0
github.com/tempoxyz/mpp-rs/security/advisories/GHSA-fxc9-7j2w-vx54

Code Behaviors & Features

Detect and mitigate GHSA-fxc9-7j2w-vx54 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →