{"id":"GHSA-fxc9-7j2w-vx54","summary":"mpp has multiple payment bypass and griefing vulnerabilities","details":"### Impact\nMultiple vulnerabilities were discovered which allowed for undesirable behaviors, including:\n- Performing free `tempo/charge` requests\n- Replaying existing `tempo/charge` requests\n- Performing free `tempo/session` requests\n- Piggybacking off existing `tempo/session` channels\n- Griefing existing `tempo/session` channels\n- Manipulate the fee payer of a `tempo/charge` or `tempo/session` handler into paying for requests\n- Replaying existing `stripe/charge` requests\n\n### Patches\nThe issues are patched in 0.8.0\n\n### Workarounds\nThere are no workarounds available for these vulnerabilities","modified":"2026-03-29T15:33:28.903431Z","published":"2026-03-29T15:20:45Z","database_specific":{"cwe_ids":["CWE-288","CWE-294","CWE-345"],"github_reviewed_at":"2026-03-29T15:20:45Z","nvd_published_at":null,"severity":"CRITICAL","github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/tempoxyz/mpp-rs/security/advisories/GHSA-fxc9-7j2w-vx54"},{"type":"PACKAGE","url":"https://github.com/tempoxyz/mpp-rs"},{"type":"WEB","url":"https://github.com/tempoxyz/mpp-rs/releases/tag/v0.8.0"}],"affected":[{"package":{"name":"mpp","ecosystem":"crates.io","purl":"pkg:cargo/mpp"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.8.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-fxc9-7j2w-vx54/GHSA-fxc9-7j2w-vx54.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N"}]}