CVE-2026-34210: mppx has Stripe charge credential replay via missing idempotency check
(updated )
The stripe/charge payment method did not check Stripe’s Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential.
References
- github.com/advisories/GHSA-8mhj-rffc-rcvw
- github.com/wevm/mppx
- github.com/wevm/mppx/commit/b2b1a0b60506fc71aa80b8a025084949dca1a994
- github.com/wevm/mppx/releases/tag/mppx%400.4.11
- github.com/wevm/mppx/releases/tag/mppx@0.4.11
- github.com/wevm/mppx/security/advisories/GHSA-8mhj-rffc-rcvw
- nvd.nist.gov/vuln/detail/CVE-2026-34210
Code Behaviors & Features
Detect and mitigate CVE-2026-34210 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →