mppx is vulnerable to Improper Authorization
64
Medium Risk
The Stripe service in the mppx payments proxy injects the operator's Stripe API key as the upstream Authorization header but forwards other caller-supplied request headers unchanged. The rewriteRequest hook does not remove an incoming Stripe-Account header, and the shared proxy header scrubbing does not strip it either, so a client can attach a Stripe-Account header that the proxy forwards to the Stripe API. Because the proxy authenticates with the operator's platform credentials, the caller can direct requests at an arbitrary Stripe connected account instead of the intended one. The fix deletes any caller-supplied Stripe-Account header before setting the upstream Authorization header.
You are affected if you are using a version that falls within the vulnerable range and you expose the mppx Stripe proxy service with platform credentials that can act on Stripe connected accounts.
mppx is vulnerable to Improper Authorization in versions 0.1.0 - 0.6.8.
Upgrade the mppx library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant