Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-59252: CWE-1284 Improper Validation of Specified Quantity in Input in ZenHive mpp

0
High
VulnerabilityCVE-2026-59252cvecve-2026-59252cwe-1284
Published: 07/17/2026 (07/17/2026, 10:11:54 UTC)
Source: CVE Database V5
Vendor/Project: ZenHive
Product: mpp

Description

Improper Validation of Specified Quantity in Input in ZenHive mpp allows an unauthenticated remote client to drain the fee-payer wallet, resulting in denial of service for legitimate clients. When the mpp Elixir library is configured as fee payer (fee_payer: true), the MPP.Methods.Tempo payment method co-signs and broadcasts a client-supplied EVM transaction without first validating that the client-supplied gas_limit is sufficient to complete the intended call. A malicious client can submit a signed transferWithMemo transaction with gas_limit deliberately set just below the amount required for successful execution. The server co-signs the transaction and broadcasts it via rpc_broadcast_sync. The transaction runs out of gas during EVM execution and reverts, but the fee-payer wallet is still charged for the burned gas while the client pays nothing and receives no resource. Repeated requests from one or more malicious clients drain the fee-payer wallet at near-zero cost to the attacker, ultimately preventing the server from sponsoring gas for legitimate payment requests. The wait_for_confirmation = false (optimistic) path is also affected: it invokes simulate_payment_call via eth_call, but that simulation omits the gas parameter and therefore does not catch out-of-gas conditions. This issue affects mpp: from 0.2.0 before 0.6.0.

CVSS v4.0

Score 8.2high

Attack Vector
Network
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
None
User Interaction
None
Vuln. Confidentiality
None
Vuln. Integrity
None
Vuln. Availability
High
Subsq. Confidentiality
None
Subsq. Integrity
None
Subsq. Availability
None
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected software

mpp
pkg:hex/mpp
Affected versions
>=0.2.0 <0.6.0
GitHub Actionsmore threats →cve
ZenHive/mpp
pkg:github/ZenHive/mpp
CPE configurations
cpe:2.3:a:ZenHive:mpp:*:*:*:*:*:*:*:*

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/18/2026, 09:35:30 UTC

Technical Analysis

The vulnerability arises because the MPP.Methods.Tempo payment method co-signs and broadcasts client-supplied EVM transactions without validating that the gas_limit is sufficient for successful execution. Attackers can submit signed transferWithMemo transactions with gas_limit set just below the required amount, causing the transaction to revert during execution but still consuming gas fees from the fee-payer wallet. Additionally, the optimistic path (wait_for_confirmation = false) uses eth_call simulation that omits the gas parameter, failing to detect out-of-gas conditions. This flaw allows unauthenticated remote clients to drain the fee-payer wallet at near-zero cost, resulting in denial of service for legitimate users. The issue affects mpp versions from 0.2.0 before 0.6.0.

Potential Impact

An attacker can cause the fee-payer wallet to be drained by repeatedly submitting transactions with insufficient gas limits that revert but still consume gas fees. This results in denial of service for legitimate clients who rely on the fee-payer wallet to sponsor gas fees for their transactions. The attacker incurs minimal cost while depleting the wallet, potentially disrupting normal service operation.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should avoid configuring the mpp Elixir library as fee payer or implement additional validation of gas_limit before broadcasting transactions. Monitoring transaction gas usage and limiting fee-payer wallet exposure may help reduce risk.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
EEF
Date Reserved
2026-07-04T04:24:03.653Z
Cvss Version
4.0
State
PUBLISHED
Remediation Level
null

Threat ID: 6a5b400c34329bf928c6fbc1

Added to database: 07/18/2026, 08:57:48 UTC

Last enriched: 07/18/2026, 09:35:30 UTC

Last updated: 07/18/2026, 11:08:17 UTC

Views: 4

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses