Listen to this Post
How the Mentioned Vulnerabilities Work
The mpp-rs project (a Rust implementation of a multi-party payment system) contains a set of critical flaws in its payment request handling logic. Specifically, the endpoints tempo/charge, tempo/session, and `channel` lack proper validation of the request origin and payment state. An attacker can forge or replay requests to `tempo/charge` without actually completing the Stripe payment, because the server does not verify that a valid payment intent exists before updating the user’s credit balance. Similarly, the `tempo/session` handler fails to enforce that a session is active and paid for, allowing an adversary to create unlimited sessions without incurring charges. Griefing vectors exist in the channel subsystem: by sending malformed or rapid-fire `channel` requests, a malicious user can exhaust server resources or lock legitimate users out of their active sessions. The vulnerabilities stem from improper state synchronization between the payment processor (Stripe) and the application’s in‑memory session store. No cryptographic nonce or idempotency key is enforced, enabling replay attacks that double‑spend credits or bypass billing entirely. The patches in version 0.8.0 introduce strict request validation, idempotency keys, and atomic updates to prevent these bypasses.
DailyCVE Form (3 words max per line)
Platform: mpp-rs
Version: < 0.8.0
Vulnerability: Payment bypass, griefing
Severity: Critical
Date: Mar 26, 2026
Prediction: Patched in 0.8.0
What Undercode Say: Analytics
Check for vulnerable endpoints (example)
curl -X POST https://target/tempo/charge \
-H "Content-Type: application/json" \
-d '{"amount":1000,"userId":"victim"}' \
--proxy http://127.0.0.1:8080
Verify if session creation bypass works
curl -X POST https://target/tempo/session \
-d "userId=attacker" \
-w "%{http_code}"
Detect missing idempotency
for i in {1..5}; do
curl -X POST https://target/channel -d "action=create" &
done
How Exploit
- Intercept a legitimate `tempo/charge` request and replay it multiple times to inflate credits without additional payments.
- Send `tempo/session` requests with a forged `userId` to create active sessions while bypassing the payment gateway.
- Flood `channel` endpoints with concurrent requests to exhaust server threads, causing denial of service for other users.
Protection from this CVE
- Upgrade to mpp-rs version 0.8.0 immediately.
- If upgrade is not possible, deploy a Web Application Firewall (WAF) rule to rate‑limit `/tempo/` and `/channel` endpoints.
- Monitor Stripe webhook logs for mismatches between payment intents and internal credit updates.
Impact
- Financial loss: Attackers can use services without paying.
- Service disruption: Griefing attacks render the platform unusable for legitimate users.
- Reputational damage: Trust in the payment system is broken, leading to user attrition.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

