CVE-2026-34209

EPSS 0.04%
Veröffentlicht 31.03.2026 14:10:46
Zuletzt bearbeitet 03.04.2026 15:59:37
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using "<" instead of "<=" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Wevm ≫ Mppx SwPlatformnode.js Version < 0.4.11

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.109

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-294 Authentication Bypass by Capture-replay

A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

https://github.com/wevm/mppx/security/advisories/GHSA-mv9j-8jvg-j8mr

Patch

Vendor Advisory

https://github.com/wevm/mppx/commit/94088246ee18f21b5d6be40d9e7a464f5a280bfb

Patch

https://github.com/wevm/mppx/releases/tag/mppx@0.4.11

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-34209

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-34209

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-34209

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-34209