CVE-2026-59252
Received Received - Intake

Denial of Service in ZenHive mpp via Gas Limit Exploitation

Vulnerability report for CVE-2026-59252, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: EEF

Description

Improper Validation of Specified Quantity in Input in ZenHive mpp allows an unauthenticated remote client to drain the fee-payer wallet, resulting in denial of service for legitimate clients. When the mpp Elixir library is configured as fee payer (fee_payer: true), the MPP.Methods.Tempo payment method co-signs and broadcasts a client-supplied EVM transaction without first validating that the client-supplied gas_limit is sufficient to complete the intended call. A malicious client can submit a signed transferWithMemo transaction with gas_limit deliberately set just below the amount required for successful execution. The server co-signs the transaction and broadcasts it via rpc_broadcast_sync. The transaction runs out of gas during EVM execution and reverts, but the fee-payer wallet is still charged for the burned gas while the client pays nothing and receives no resource. Repeated requests from one or more malicious clients drain the fee-payer wallet at near-zero cost to the attacker, ultimately preventing the server from sponsoring gas for legitimate payment requests. The wait_for_confirmation = false (optimistic) path is also affected: it invokes simulate_payment_call via eth_call, but that simulation omits the gas parameter and therefore does not catch out-of-gas conditions. This issue affects mpp: from 0.2.0 before 0.6.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
zenhive mpp From 0.2.0 (inc) to 0.6.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a gas draining flaw in the ZenHive mpp library (versions 0.2.0 to <0.6.0) where the server acts as a fee payer without validating the client-supplied gas limit. A malicious client submits a transaction with insufficient gas, causing it to fail during execution while the server still pays for the burned gas. This drains the fee-payer wallet at no cost to the attacker, enabling a denial of service for legitimate clients.

Detection Guidance

Monitor fee-payer wallet balances for unexpected rapid depletion. Check transaction logs for repeated failed transactions with gas_limit set just below required amounts. Inspect mpp library versions (>=0.2.0, <0.6.0) for vulnerable configurations where fee_payer is enabled.

Impact Analysis

If you run a fee-payer server using mpp versions 0.2.0 to <0.6.0, attackers can drain your wallet by repeatedly submitting transactions with insufficient gas. This depletes funds needed for legitimate transactions, disrupting service. The attack requires no authentication and can be automated with multiple clients.

Compliance Impact

This vulnerability primarily affects financial systems and transaction integrity rather than direct compliance with GDPR or HIPAA. However, it could indirectly impact compliance by enabling financial fraud or service disruption, which may violate data protection principles under GDPR (e.g., integrity and confidentiality of processing) or financial regulations requiring secure transaction processing.

Mitigation Strategies

Upgrade mpp to version 0.6.0 or later. Disable fee_payer configuration if not required. Implement pre-broadcast transaction simulation using eth_simulateV1 to validate gas limits before execution.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59252. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart