CVE-2026-40481
Received Received - Intake
Memory Exhaustion in monetr Stripe Webhook Causes DoS

Publication date: 2026-04-17

Last updated on: 2026-04-24

Assigner: GitHub, Inc.

Description
monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST payloads to cause uncontrolled memory growth, leading to denial of service. The issue affects deployments with Stripe webhooks enabled and is mitigated if an upstream proxy enforces a request body size limit. This issue has been fixed in version 1.12.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40481
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
monetr monetr to 1.12.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves the monetr application versions 1.12.3 and below, specifically when the Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. Detection would involve identifying if your deployment is running a vulnerable version of monetr with Stripe webhooks enabled.

Since the vulnerability is triggered by oversized POST payloads to the Stripe webhook endpoint, monitoring for unusually large POST requests to the webhook URL could indicate exploitation attempts.

You can check the version of monetr running on your system to confirm if it is 1.12.3 or below, which are vulnerable.

  • Check monetr version: Run a command or check your deployment metadata to identify the monetr version.
  • Monitor network traffic for large POST requests to the Stripe webhook endpoint URL.
  • If you have access logs, use commands like: `grep 'POST /stripe-webhook' /path/to/access.log | awk '{print $0}'` to review requests.
  • Use network monitoring tools (e.g., tcpdump or Wireshark) to capture and analyze POST request sizes to the webhook endpoint.
  • If you have an upstream proxy, verify if it enforces request body size limits to mitigate this issue.
Executive Summary

This vulnerability exists in the monetr budgeting application versions 1.12.3 and below. The public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. Because of this, a remote unauthenticated attacker can send very large POST requests that cause uncontrolled memory growth on the server.

This uncontrolled memory growth can lead to a denial of service (DoS) condition, making the application unavailable or unstable.

The vulnerability affects deployments with Stripe webhooks enabled and can be mitigated if an upstream proxy enforces a request body size limit. The issue was fixed in version 1.12.4.

Impact Analysis

This vulnerability can impact you by allowing a remote attacker to cause a denial of service on your monetr application if you are using Stripe webhooks.

An attacker can send oversized POST payloads that consume excessive memory, potentially crashing the application or making it unresponsive.

This can disrupt your budgeting service availability and affect users relying on it.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade monetr to version 1.12.4 or later, where the issue has been fixed.

If upgrading immediately is not possible, ensure that an upstream proxy enforces a request body size limit to prevent oversized POST payloads from causing uncontrolled memory growth.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40481. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart