Mpp · Mpp · CVE-2026-59252
**Name of the Vulnerable Software and Affected Versions**
mpp versions 0.2.0 through 0.5.9
**Description**
Improper validation of input quantities allows an unauthenticated remote client to drain the fee-payer wallet, leading to a denial of service for legitimate clients. When the library is configured with `fee payer: true`, the `MPP.Methods.Tempo` payment method co-signs and broadcasts client-supplied EVM transactions without verifying if the `gas limit` is sufficient. An attacker can submit a `transferWithMemo` transaction with a `gas limit` set just below the required amount. The server broadcasts this via `rpc broadcast sync`, and although the transaction reverts due to running out of gas, the fee-payer wallet is charged for the burned gas. Additionally, the optimistic path where `wait for confirmation = false` is affected because the `simulate payment call` function via `eth call` omits the gas parameter, failing to detect out-of-gas conditions.
**Recommendations**
Update mpp to version 0.6.0 or later.
As a temporary mitigation, set `fee payer` to `false` in the `MPP.Methods.Tempo` configuration to disable server-side gas sponsorship.