CVE-2014-10067
Description
paypal-ipn before 3.0.0 uses the test_ipn parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox. With a bit of time, an attacker could craft a request using the simulator that would fool any application which does not explicitly check for test_ipn in production.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
paypal-ipn before 3.0.0 trusts the `test_ipn` parameter, allowing attackers to redirect IPN verification to the PayPal sandbox and bypass validation in production.
Vulnerability
The PayPal IPN (Instant Payment Notification) library for Node.js, paypal-ipn versions before 3.0.0, trusts the test_ipn parameter sent by the PayPal IPN simulator to decide whether to verify the notification against PayPal's production or sandbox endpoint [1]. An attacker can include this parameter in a crafted IPN request, and if the application does not explicitly reject it in production, the library will use the sandbox endpoint for verification [1].
Exploitation
An attacker must craft a fake IPN notification request that includes the test_ipn parameter set to a truthy value. The request is sent to a vulnerable application's IPN handler. No authentication or special network position is required, as the IPN endpoint is typically public. The attacker can then use the PayPal sandbox environment to generate valid-looking but fraudulent payment notifications, which the application will accept because verification is performed against the sandbox [1].
Impact
Successful exploitation allows the attacker to trick the application into treating a fake payment as genuine. This can lead to unauthorized access to goods or services, account balance manipulation, or other financial fraud, as the application processes the notification as if it came from PayPal's production system [1].
Mitigation
Upgrade to paypal-ipn version 3.0.0 or later, where the library ignores the test_ipn parameter and always uses the production endpoint [1]. For users unable to upgrade immediately, the application must explicitly check for and reject any IPN request containing the test_ipn parameter. No workaround is provided by the library itself. The vulnerability is not listed in CISA KEV.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
paypal-ipnnpm | < 3.0.0 | 3.0.0 |
Affected products
3- Range: <3.0.0
- HackerOne/paypal-ipn node modulev5Range: <3.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-h698-r4hm-w94pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-10067ghsaADVISORY
- github.com/andzdroid/paypal-ipn/issues/11ghsax_refsource_MISCWEB
- nodesecurity.io/advisories/26mitrex_refsource_MISC
- www.npmjs.com/advisories/26ghsaWEB
News mentions
0No linked articles in our index yet.