PT-2026-60734 · Mpp · Mpp

·

CVE-2026-59252

·

Published

2026-07-17

·

Updated

2026-07-17

CVSS v4.0

8.2

High

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions mpp versions 0.2.0 through 0.5.9
Description Improper validation of input quantities allows an unauthenticated remote client to drain the fee-payer wallet, leading to a denial of service for legitimate clients. When the library is configured with fee payer: true, the MPP.Methods.Tempo payment method co-signs and broadcasts client-supplied EVM transactions without verifying if the gas limit is sufficient. An attacker can submit a transferWithMemo transaction with a gas limit set just below the required amount. The server broadcasts this via rpc broadcast sync, and although the transaction reverts due to running out of gas, the fee-payer wallet is charged for the burned gas. Additionally, the optimistic path where wait for confirmation = false is affected because the simulate payment call function via eth call omits the gas parameter, failing to detect out-of-gas conditions.
Recommendations Update mpp to version 0.6.0 or later. As a temporary mitigation, set fee payer to false in the MPP.Methods.Tempo configuration to disable server-side gas sponsorship.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59252
GHSA-VJ8P-HP9X-GH47

Affected Products

Mpp