CVE-2026-40481

Name of the Vulnerable Software and Affected Versions monetr versions prior to 1.12.4

Description The public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST payloads to the '/api/stripe/webhook' endpoint to cause uncontrolled memory growth, leading to denial of service. This issue occurs because the handler only requires a Stripe-Signature header to be present before buffering the body, meaning memory consumption is controlled by the attacker-supplied payload size even if the signature is invalid. The issue affects deployments where Stripe webhooks are enabled.

Recommendations Update to version 1.12.4. As a temporary mitigation, enforce a request body size limit using an upstream proxy or load balancer to restrict the size of payloads sent to the '/api/stripe/webhook' endpoint.