CVE-2026-40481
Memory Exhaustion in monetr Stripe Webhook Causes DoS
Publication date: 2026-04-17
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| monetr | monetr | to 1.12.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the monetr application versions 1.12.3 and below, specifically when the Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. Detection would involve identifying if your deployment is running a vulnerable version of monetr with Stripe webhooks enabled.
Since the vulnerability is triggered by oversized POST payloads to the Stripe webhook endpoint, monitoring for unusually large POST requests to the webhook URL could indicate exploitation attempts.
You can check the version of monetr running on your system to confirm if it is 1.12.3 or below, which are vulnerable.
- Check monetr version: Run a command or check your deployment metadata to identify the monetr version.
- Monitor network traffic for large POST requests to the Stripe webhook endpoint URL.
- If you have access logs, use commands like: `grep 'POST /stripe-webhook' /path/to/access.log | awk '{print $0}'` to review requests.
- Use network monitoring tools (e.g., tcpdump or Wireshark) to capture and analyze POST request sizes to the webhook endpoint.
- If you have an upstream proxy, verify if it enforces request body size limits to mitigate this issue.
Can you explain this vulnerability to me?
This vulnerability exists in the monetr budgeting application versions 1.12.3 and below. The public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. Because of this, a remote unauthenticated attacker can send very large POST requests that cause uncontrolled memory growth on the server.
This uncontrolled memory growth can lead to a denial of service (DoS) condition, making the application unavailable or unstable.
The vulnerability affects deployments with Stripe webhooks enabled and can be mitigated if an upstream proxy enforces a request body size limit. The issue was fixed in version 1.12.4.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a remote attacker to cause a denial of service on your monetr application if you are using Stripe webhooks.
An attacker can send oversized POST payloads that consume excessive memory, potentially crashing the application or making it unresponsive.
This can disrupt your budgeting service availability and affect users relying on it.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade monetr to version 1.12.4 or later, where the issue has been fixed.
If upgrading immediately is not possible, ensure that an upstream proxy enforces a request body size limit to prevent oversized POST payloads from causing uncontrolled memory growth.