Description
monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST payloads to cause uncontrolled memory growth, leading to denial of service. The issue affects deployments with Stripe webhooks enabled and is mitigated if an upstream proxy enforces a request body size limit. This issue has been fixed in version 1.12.4.
Published: 2026-04-17
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

A vulnerability in the public Stripe webhook endpoint of monetr buffers the entire request body into memory before validating the Stripe signature. This allows a remote unauthenticated attacker to send oversized POST payloads that trigger uncontrolled memory growth, leading to denial of service. The weakness is reflected in CWE‑400 and is limited to applications that have Stripe webhooks enabled.

Affected Systems

The issue affects monetr monetr deployments using versions 1.12.3 and earlier. Attackers can target any instance that exposes the Stripe webhook and has the bug present.

Risk and Exploitability

With a CVSS score of 8.2 the vulnerability is considered high severity. The EPSS score is currently unavailable, but the impact is significant for any exposed webhook. It is not listed in the CISA KEV catalog. Without defensive controls, the flaw can be exploited remotely by an unauthenticated user, and the denial of service can affect application availability.

Generated by OpenCVE AI on April 18, 2026 at 08:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to monetr version 1.12.4 or later, where the request body buffering before signature validation has been removed.
  • If upgrading is not immediately possible, configure an upstream proxy or load balancer to enforce a strict maximum request body size, such as setting "client_max_body_size" in Nginx or the "MaxRequestBodySize" in IIS, to prevent large payloads from reaching the application.
  • Consider disabling the Stripe webhook endpoint if the feature is not required for the deployment, or replace it with a more secure integration that performs signature validation before reading the request body.

Generated by OpenCVE AI on April 18, 2026 at 08:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v7xq-3wx6-fqc2 In monetr, unauthenticated Stripe webhook reads attacker-sized request bodies before signature validation
History

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Monetr
Monetr monetr
Vendors & Products Monetr
Monetr monetr

Mon, 20 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 23:00:00 +0000

Type Values Removed Values Added
Description monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST payloads to cause uncontrolled memory growth, leading to denial of service. The issue affects deployments with Stripe webhooks enabled and is mitigated if an upstream proxy enforces a request body size limit. This issue has been fixed in version 1.12.4.
Title monetr: Unauthenticated Stripe webhook reads attacker-sized request bodies before signature validation
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Monetr Monetr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T13:36:05.862Z

Reserved: 2026-04-13T19:50:42.114Z

Link: CVE-2026-40481

cve-icon Vulnrichment

Updated: 2026-04-20T13:32:35.321Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T23:16:12.457

Modified: 2026-04-20T19:03:07.607

Link: CVE-2026-40481

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T14:59:25Z

Weaknesses