📄 Description (English)
mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential. This issue has been patched in version 0.4.11.
🤖 AI Executive Summary
CVE-2026-34210 is a critical payment replay vulnerability in mppx TypeScript library affecting Stripe payment processing. Attackers can replay valid payment credentials to bypass actual charging, allowing unlimited resource consumption with a single legitimate payment. This vulnerability impacts any Saudi organization using mppx for payment processing, particularly e-commerce and fintech platforms. Immediate patching to version 0.4.11 is essential to prevent financial fraud and unauthorized transactions.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 26, 2026 11:46
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi financial sector organizations including: (1) E-commerce platforms and online retailers accepting Stripe payments; (2) Fintech companies and digital payment service providers regulated by SAMA; (3) STC and other telecom operators offering digital payment services; (4) Healthcare providers processing patient payments; (5) Government agencies using mppx for online service payments. The vulnerability enables direct financial loss through payment replay attacks and potential regulatory violations under SAMA's payment system oversight. Organizations in the Kingdom using mppx for production payment processing face immediate fraud risk and potential compliance violations.
🏢 Affected Saudi Sectors
Banking and Financial Services
E-commerce and Retail
Fintech and Digital Payments
Telecommunications (STC, Zain, Mobily)
Healthcare Providers
Government Services
Travel and Hospitality
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.7
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all systems running mppx versions prior to 0.4.11 using dependency scanning tools (npm audit, Snyk, OWASP Dependency-Check)
2. Isolate affected payment processing systems from production if exploitation is suspected
3. Review transaction logs for suspicious replay patterns (identical spt tokens with different timestamps/challenges)
4. Notify SAMA if any unauthorized transactions are detected
PATCHING GUIDANCE:
1. Upgrade mppx to version 0.4.11 or later immediately
2. Update package.json: "mppx": "^0.4.11"
3. Run npm install and npm audit to verify no remaining vulnerabilities
4. Redeploy payment processing services with updated dependencies
5. Conduct regression testing on payment workflows before production deployment
COMPENSATING CONTROLS (if immediate patching delayed):
1. Implement server-side validation of Stripe's Idempotent-Replayed response header
2. Add duplicate payment detection: reject PaymentIntents with identical spt tokens within 24-hour window
3. Implement rate limiting on payment creation endpoints (max 5 requests per customer per hour)
4. Enable Stripe webhook verification and validate payment_intent.succeeded events
5. Monitor for unusual payment patterns and implement alerting
DETECTION RULES:
1. Alert on multiple PaymentIntent creations with identical spt token values
2. Monitor for Stripe API responses missing Idempotent-Replayed header
3. Flag transactions where PaymentIntent status shows success without corresponding charge
4. Detect rapid successive payment attempts from same customer within short timeframe
5. Log all Stripe API calls and cross-reference with actual charges processed
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تقوم بتشغيل إصدارات mppx السابقة للإصدار 0.4.11 باستخدام أدوات فحص التبعيات
2. عزل أنظمة معالجة الدفع المتأثرة عن الإنتاج إذا تم الاشتباه في الاستغلال
3. مراجعة سجلات المعاملات للبحث عن أنماط إعادة تشغيل مريبة
4. إخطار ساما إذا تم اكتشاف أي معاملات غير مصرح بها
إرشادات التصحيح:
1. ترقية mppx إلى الإصدار 0.4.11 أو أحدث فوراً
2. تحديث package.json: "mppx": "^0.4.11"
3. تشغيل npm install و npm audit للتحقق من عدم وجود ثغرات متبقية
4. إعادة نشر خدمات معالجة الدفع بالتبعيات المحدثة
5. إجراء اختبار الانحدار على سير عمل الدفع قبل نشر الإنتاج
الضوابط التعويضية:
1. تنفيذ التحقق من جانب الخادم من رأس استجابة Stripe Idempotent-Replayed
2. إضافة كشف الدفع المكرر: رفض PaymentIntents بنفس رموز spt خلال نافذة 24 ساعة
3. تنفيذ تحديد معدل على نقاط نهاية إنشاء الدفع
4. تفعيل التحقق من webhook في Stripe والتحقق من أحداث payment_intent.succeeded
5. مراقبة أنماط الدفع غير العادية وتنفيذ التنبيهات
قواعد الكشف:
1. تنبيه على عمليات إنشاء PaymentIntent متعددة برموز spt متطابقة
2. مراقبة استجابات Stripe API التي تفتقد رأس Idempotent-Replayed
3. وضع علامة على المعاملات حيث يظهر حالة PaymentIntent النجاح بدون رسم مقابل
4. كشف محاولات الدفع المتتالية السريعة من نفس العميل
5. تسجيل جميع استدعاءات Stripe API والمراجعة المرجعية مع الرسوم الفعلية المعالجة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Secure development and change management
ECC 2024 A.14.2.5 - Secure system architecture and engineering principles
ECC 2024 A.8.2.3 - User access management and authentication
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
SAMA CSF ID.SC-4 - Supply chain risk management (third-party library vulnerabilities)
SAMA CSF PR.AC-1 - Access control and authentication mechanisms
SAMA CSF PR.DS-2 - Data security and integrity (payment data protection)
SAMA CSF DE.CM-1 - Detection and monitoring of anomalous activity
🟡 ISO 27001:2022
ISO 27001:2022 A.8.1.1 - User endpoint devices
ISO 27001:2022 A.8.2.3 - Management of privileged access rights
ISO 27001:2022 A.14.2.1 - Secure development policy
ISO 27001:2022 A.14.2.5 - Secure development environment
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Ensure security patches are installed within defined timeframe
PCI DSS 6.3.1 - Identify and remediate security vulnerabilities
PCI DSS 10.2.1 - Implement automated audit trails for access to payment data
PCI DSS 10.3.1 - Protect audit trail history from unauthorized modifications
🔗 References & Sources 3
🔗
https://github.com/wevm/mppx/commit/b2b1a0b60506fc71aa80b8a025084949dca1a994
security-advisories@github.com
Patch
🔗
https://github.com/wevm/mppx/releases/tag/mppx@0.4.11
security-advisories@github.com
Release Notes
🔗
https://github.com/wevm/mppx/security/advisories/GHSA-8mhj-rffc-rcvw
security-advisories@github.com
Patch
Vendor Advisory
📦 Affected Products / CPE 1 entries
wevm:mppx