Race Condition in ZenithPay Gateway Allows Double-Spending (CVE-2025-31334)

August 12, 2025
Scott Wu

A high-severity race condition vulnerability has been found in the ZenithPay payment processing gateway. This flaw, nicknamed “Phantom Transaction” and tracked as CVE-2025-31334, allows an attacker to defraud merchants by making purchases without spending any money. It has a CVSS score of 8.1 (High) and requires immediate attention from all service integrators.

TL;DR:

  • What: A critical race condition vulnerability that enables payment bypass and double-spending.
  • Affected Software: ZenithPay Gateway versions 2.5.0 through 2.9.1.
  • Impact: Attackers can steal goods and services by tricking the system into confirming a payment that was simultaneously canceled.
  • Action: Update to version 2.9.2 or newer immediately. Also, review recent transaction logs for anomalies.

What is ZenithPay?

ZenithPay is a popular open-source payment gateway used by e-commerce platforms and online merchants to process customer payments. It integrates with various payment methods to provide a unified transaction processing system.

The “Phantom Transaction” Vulnerability Explained

This vulnerability is a classic race condition. Think of it like two people trying to withdraw the last $100 from a shared bank account at the exact same time from two different ATMs. If the system isn’t designed correctly, both might get the money before the balance is updated, causing a loss for the bank.

In ZenithPay, the flaw exists between the payment confirm and cancel functions. These two operations are not “atomic”—meaning they don’t have a proper locking mechanism to ensure one finishes before the other can start.

The Attack Flow:

  1. An attacker initiates a payment for a product on a merchant’s website.
  2. Using a script, they send two requests to the ZenithPay API at almost the exact same microsecond: one to confirm the transaction and one to cancel it.
  3. The Race: The attacker aims to have the cancel request update their own balance (refunding their money) while the confirm request simultaneously updates the merchant’s view of the transaction, marking it as successful.
  4. The Result: The attacker receives a refund and also gets the product or service, effectively stealing it. The merchant is left with a successful order notification but no corresponding funds.

This attack exploits a tiny time window where the state of the transaction is ambiguous. Because the system lacks a proper locking mechanism, it processes both conflicting requests, leading to an inconsistent and fraudulent final state.

Impact and Remediation

The impact of CVE-2025-31334 is direct financial loss for merchants and platforms using the vulnerable gateway.

  • Fraud and Theft: Attackers can systematically acquire goods or services for free.
  • Loss of Trust: The integrity of the payment system is compromised, which can damage the reputation of merchants using it.
  • Accounting Nightmares: Reconciling transaction logs becomes incredibly difficult, with records showing successful payments that never cleared.

Are you affected? You are vulnerable if your platform integrates with ZenithPay Gateway versions 2.5.0 through 2.9.1.

How to Fix It: The ZenithPay team has released a patch that introduces a robust locking mechanism on all transaction state changes, making them atomic and eliminating the race condition.

  1. Update the Gateway: Your top priority is to update your ZenithPay Gateway integration to version 2.9.2 or newer.
  2. Review Transaction Logs: It is crucial to review recent transaction logs for suspicious patterns. Look for transactions that were confirmed and canceled within the same second, especially from the same user account.
  3. Implement Velocity Checks: Consider implementing velocity checks to flag or temporarily block accounts that perform an unusually high rate of cancellations or transactions in a short period.

Resources and Citations

This vulnerability was responsibly disclosed by researchers at the NCC Group.

  • Official ZenithPay Website: https://zenithpay.com
  • Official GitHub Repository: https://github.com/Zenith-Payments/Gateway
  • Official Security Advisory: https://github.com/Zenith-Payments/Gateway/security/advisories/GHSA-fictional-wxyz-3133
  • NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2025-31334
  • Discoverer’s Technical Blog: https://www.nccgroup.com/uk/about-us/newsroom-and-events/blog/2025/cve-2025-31334-racing-to-the-bank/
  • General