Skip to main content

Monetr CVE-2026-40481

HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-04-17 GitHub_M GHSA-v7xq-3wx6-fqc2
8.2
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 20, 2026 - 19:07 vuln.today
cvss_changed
Patch released
Apr 18, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 17, 2026 - 23:48 vuln.today
CVSS changed
Apr 17, 2026 - 23:22 NVD
8.2 (HIGH)
Analysis Generated
Apr 17, 2026 - 23:15 vuln.today
CVE Published
Apr 17, 2026 - 22:54 nvd
HIGH 8.2

DescriptionGitHub Advisory

monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST payloads to cause uncontrolled memory growth, leading to denial of service. The issue affects deployments with Stripe webhooks enabled and is mitigated if an upstream proxy enforces a request body size limit. This issue has been fixed in version 1.12.4.

AnalysisAI

Uncontrolled memory consumption in monetr 1.12.3 and earlier allows remote unauthenticated attackers to trigger denial of service by sending oversized payloads to the public Stripe webhook endpoint. The vulnerability affects deployments with Stripe webhooks enabled and lacks upstream body-size enforcement. Version 1.12.4 provides a fix. EPSS and KEV data not available; no public exploit confirmed at time of analysis, though the attack method is straightforward (8.2 CVSS reflecting high availability impact with low complexity).

Technical ContextAI

This is a resource exhaustion vulnerability (CWE-400: Uncontrolled Resource Consumption) in monetr's Stripe webhook integration. The affected endpoint processes incoming Stripe webhook POST requests by buffering the entire body into memory before performing cryptographic signature validation. Stripe webhooks are HTTP callbacks that notify applications of payment events. The design flaw violates secure input handling principles: expensive operations (memory allocation) occur before trust establishment (signature verification). Affected product: monetr versions ≤1.12.3 (CPE: cpe:2.3:a:monetr:monetr:*:*:*:*:*:*:*:*). The CVSS 4.0 vector indicates network-accessible attack with low complexity but present attack requirements (AT:P), likely referencing the need for Stripe webhooks to be enabled in the deployment configuration.

RemediationAI

Upgrade to monetr version 1.12.4 or later, released by the vendor to address this issue (https://github.com/monetr/monetr/releases/tag/v1.12.4). The patch implements request body size validation before buffering webhook payloads into memory. For deployments unable to upgrade immediately, configure upstream reverse proxy or API gateway to enforce strict request body size limits on the Stripe webhook endpoint path - recommend 1MB maximum (typical Stripe webhook payloads are under 10KB). This workaround provides effective protection but requires infrastructure access and careful path routing to avoid blocking legitimate large webhooks if business logic expects them. Side effect: overly restrictive limits may reject valid Stripe events for accounts with complex subscription metadata. Review Stripe documentation for maximum expected payload sizes before setting limits. Alternatively, disable Stripe webhook integration temporarily if not critical to operations, though this breaks real-time payment event processing.

Share

CVE-2026-40481 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy