mppx is vulnerable to Authentication Bypass
59
Medium Risk
The Tempo pull-transaction charge verification in src/tempo/server/Charge.ts matches on-chain transfer calls and logs against the expected payment but does not confirm the transfer memo is cryptographically bound to the current server challenge. When the expected transfer has no server-set memo the matcher treats it as allowAnyMemo and accepts any memo, so a signed transaction or transfer whose attribution memo was bound to a different challenge still verifies. An attacker can reuse or replay such a payment against a separate challenge for the same amount, currency, and recipient, bypassing per-challenge payment authorization. The fix adds assertChallengeBoundCallMemo and applies assertChallengeBoundMemo to matched calls and logs so the memo must verify against the current challengeId and realm.
You are affected if you are using a version that falls within the vulnerable range and your server accepts Tempo pull-mode (transaction credential) charges.
mppx is vulnerable to Authentication Bypass in versions 0.5.5 - 0.6.11.
Upgrade the mppx library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant