Intel

AIKIDO-2026-369362

mppx is vulnerable to Improper Authorization

Improper Authorization Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Today

64

Medium Risk

This Affects:

JSmppx
0.1.0 - 0.6.8
Fixed in 0.6.9
Are you affected? Scan for Free

TL;DR

The Stripe service in the mppx payments proxy injects the operator's Stripe API key as the upstream Authorization header but forwards other caller-supplied request headers unchanged. The rewriteRequest hook does not remove an incoming Stripe-Account header, and the shared proxy header scrubbing does not strip it either, so a client can attach a Stripe-Account header that the proxy forwards to the Stripe API. Because the proxy authenticates with the operator's platform credentials, the caller can direct requests at an arbitrary Stripe connected account instead of the intended one. The fix deletes any caller-supplied Stripe-Account header before setting the upstream Authorization header.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you expose the mppx Stripe proxy service with platform credentials that can act on Stripe connected accounts.

Background info

mppx is vulnerable to Improper Authorization in versions 0.1.0 - 0.6.8.

How to fix this

Upgrade the mppx library to the patch version.