Monetr
CVE-2026-40481
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST payloads to cause uncontrolled memory growth, leading to denial of service. The issue affects deployments with Stripe webhooks enabled and is mitigated if an upstream proxy enforces a request body size limit. This issue has been fixed in version 1.12.4.
AnalysisAI
Uncontrolled memory consumption in monetr 1.12.3 and earlier allows remote unauthenticated attackers to trigger denial of service by sending oversized payloads to the public Stripe webhook endpoint. The vulnerability affects deployments with Stripe webhooks enabled and lacks upstream body-size enforcement. Version 1.12.4 provides a fix. EPSS and KEV data not available; no public exploit confirmed at time of analysis, though the attack method is straightforward (8.2 CVSS reflecting high availability impact with low complexity).
Technical ContextAI
This is a resource exhaustion vulnerability (CWE-400: Uncontrolled Resource Consumption) in monetr's Stripe webhook integration. The affected endpoint processes incoming Stripe webhook POST requests by buffering the entire body into memory before performing cryptographic signature validation. Stripe webhooks are HTTP callbacks that notify applications of payment events. The design flaw violates secure input handling principles: expensive operations (memory allocation) occur before trust establishment (signature verification). Affected product: monetr versions ≤1.12.3 (CPE: cpe:2.3:a:monetr:monetr:*:*:*:*:*:*:*:*). The CVSS 4.0 vector indicates network-accessible attack with low complexity but present attack requirements (AT:P), likely referencing the need for Stripe webhooks to be enabled in the deployment configuration.
RemediationAI
Upgrade to monetr version 1.12.4 or later, released by the vendor to address this issue (https://github.com/monetr/monetr/releases/tag/v1.12.4). The patch implements request body size validation before buffering webhook payloads into memory. For deployments unable to upgrade immediately, configure upstream reverse proxy or API gateway to enforce strict request body size limits on the Stripe webhook endpoint path - recommend 1MB maximum (typical Stripe webhook payloads are under 10KB). This workaround provides effective protection but requires infrastructure access and careful path routing to avoid blocking legitimate large webhooks if business logic expects them. Side effect: overly restrictive limits may reject valid Stripe events for accounts with complex subscription metadata. Review Stripe documentation for maximum expected payload sizes before setting limits. Alternatively, disable Stripe webhook integration temporarily if not critical to operations, though this breaks real-time payment event processing.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-v7xq-3wx6-fqc2