Replay Attack Affecting mpp package, versions <0.8.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-MPP-15916589
- published6 Apr 2026
- disclosed29 Mar 2026
- creditVeria Labs, samczsun
Introduced: 29 Mar 2026
New CVE NOT AVAILABLE CWE-288 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade mpp to version 0.8.0 or higher.
Overview
mpp is a Rust SDK for the Machine Payments Protocol (MPP)
Affected versions of this package are vulnerable to Replay Attack through the tempo and stripe payment verification and channel/session handling paths in src/protocol/methods/tempo/method.rs, src/protocol/methods/tempo/session_method.rs, src/proxy/service.rs, src/server/sse.rs, and src/protocol/methods/stripe/method.rs. An attacker can obtain free or repeated paid requests, piggyback on existing session channels, or force a fee payer to cover requests by replaying or misrouting payment flows.