Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-h698-r4hm-w94p

GitHub Security Advisory

Validation Bypass in paypal-ipn

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

Versions 2.x.x and earlier of `paypal-ipn` are affected by a validation bypass vulnerability.

paypal-ipn uses the `test_ipn` parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox.

A motivated attacker could craft a request string using the simulator to fool the application into entering the sandbox mode, potentially allowing purchases without valid payment.

## Recommendation

Upgrade to version 3.0.0 or later.

Affected Packages

npm paypal-ipn
Affected versions: 0 (fixed in 3.0.0)

Related CVEs

CVE-2014-10067

Key Information

GHSA ID
GHSA-h698-r4hm-w94p
Published
August 31, 2020 10:54 PM
Last Modified
September 23, 2021 8:58 PM
CVSS Score
5.0 /10
Primary Ecosystem
npm
Primary Package
paypal-ipn
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 4, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.