In a critical development for online payment security, leading payment gateway provider Zarinpal has issued an urgent security advisory regarding CVE-2026-2592. This high-severity vulnerability exposes merchants and customers to remote code execution (RCE) attacks.
Disclosed today by the CVE program and assigned a CVSS v4.0 base score of 9.1 (Critical), the flaw affects Zarinpal’s core API endpoints used in e-commerce integrations across the Middle East and beyond.
CVE-2026-2592 stems from an improper input validation flaw in Zarinpal’s transaction processing library (version 4.2.1 and earlier). Specifically, the vulnerability arises in the /api/v4/payments/verify endpoint, where user-supplied JSON payloads are deserialized without sufficient sanitization.
| Key Field | Details |
|---|---|
| CVE ID | CVE-2026-2592 |
| Product | Zarinpal Gateway |
| Severity | Critical (CVSS 9.1) |
| Type | Prototype Pollution / RCE |
| Versions | ≤4.2.1 |
| Patch | v4.3.0 |
| Impact | Remote code execution, data theft |
Attackers can craft malicious payloads that exploit a prototype pollution chain in the underlying Node.js runtime (v18.x series), allowing arbitrary injection of JavaScript object properties.
The root cause traces to a deserialization routine in zarinpal-lib.js, which recursively merges user inputs into internal state objects without enforcing prototype isolation.
By injecting __proto__ properties, attackers overwrite critical methods like toString() or valueOf(), leading to type confusion during transaction verification.
Successful exploitation triggers a sandbox escape, executing arbitrary shell commands on the gateway server, often as the www-data user with elevated privileges via misconfigured cron jobs.
Zarinpal first detected the issue during internal red-team exercises in late January 2026, after anomalous API logs showed inflated transaction volumes.
Independent verification by the cybersecurity firm ShadowSec confirmed the exploit chain: a POST request with a 1KB payload suffices and requires no authentication beyond a valid merchant token (obtainable via social engineering or credential stuffing).
Proof-of-concept (PoC) code, now circulating on underground forums such as Exploit-DB mirrors, demonstrates RCE by spawning a reverse shell on attacker-controlled infrastructure.
In lab tests, exploitation succeeds in under 5 seconds against default configurations, with potential impacts including data exfiltration (e.g., payment card details from Redis caches), ransomware deployment, or gateway downtime affecting millions of transactions daily.
Zarinpal urges immediate patching to version 4.3.0, which introduces strict Object.create(null) prototypes, schema-validated deserialization via Joi 17.13+, and rate-limiting on verification endpoints.
Workarounds include disabling legacy v4 APIs or implementing Web Application Firewalls (WAFs) with custom rules blocking __proto__ in payloads:
SecRule ARGS "@rx __proto__" "id:2592,\
phase:2,\
block,\
msg:'CVE-2026-2592 Prototype Pollution'"
No evidence of active exploitation has been observed yet, but threat actors linked to Iranian cybercrime groups have shown interest, according to Recorded Future intelligence.
Merchants integrating Zarinpal on platforms like WooCommerce and custom Laravel apps face increased risks, especially amid rising phishing campaigns targeting Persian-speaking developers.
Broader implications ripple through regional fintech: Zarinpal processes over 40% of Iran’s online payments, according to 2025 Statista data.
This incident underscores persistent supply-chain risks at third-party gateways, echoing the Log4Shell (CVE-2021-44228) incident. Experts recommend network segmentation, API token rotation, and runtime monitoring with tools like Falco.
Site: cybersecuritypath.com
%20(1).webp "Technitium: Self-Hosted DNS Server for Enhanced Privacy and Security")
.webp "Cal.com’s Access Control Mess: How It Let Attackers Hijack Accounts and Dump Millions of Bookings")
