Intel

AIKIDO-2026-484607

mppx is vulnerable to Authentication Bypass

Authentication Bypass Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Today

59

Medium Risk

This Affects:

JSmppx
0.5.5 - 0.6.11
Fixed in 0.6.12
Are you affected? Scan for Free

TL;DR

The Tempo pull-transaction charge verification in src/tempo/server/Charge.ts matches on-chain transfer calls and logs against the expected payment but does not confirm the transfer memo is cryptographically bound to the current server challenge. When the expected transfer has no server-set memo the matcher treats it as allowAnyMemo and accepts any memo, so a signed transaction or transfer whose attribution memo was bound to a different challenge still verifies. An attacker can reuse or replay such a payment against a separate challenge for the same amount, currency, and recipient, bypassing per-challenge payment authorization. The fix adds assertChallengeBoundCallMemo and applies assertChallengeBoundMemo to matched calls and logs so the memo must verify against the current challengeId and realm.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your server accepts Tempo pull-mode (transaction credential) charges.

Background info

mppx is vulnerable to Authentication Bypass in versions 0.5.5 - 0.6.11.

How to fix this

Upgrade the mppx library to the patch version.