Plattform
go
Komponente
monetr
Behoben in
1.12.5
1.12.4
CVE-2026-40481 describes a denial-of-service vulnerability within the monetr application's Stripe webhook endpoint. This vulnerability allows a remote, unauthenticated attacker to induce substantial memory growth by sending oversized POST requests. The vulnerability impacts versions 1.12.3 and earlier, and a fix is available in version 1.12.4.
The primary impact of CVE-2026-40481 is a denial-of-service condition. An attacker can exploit this vulnerability by crafting a malicious POST request with a significantly large body and sending it to the Monetr Stripe webhook endpoint. Because the application buffers the entire request body into memory before signature verification, this can lead to excessive memory consumption. If the server's memory resources are exhausted, it may become unresponsive or crash, effectively denying legitimate users access to the service. The lack of authentication required for accessing the webhook route amplifies the risk, as any external actor can trigger this condition. This vulnerability shares similarities with other memory exhaustion attacks targeting web applications that handle large file uploads or data streams without proper size limitations.
CVE-2026-40481 was publicly disclosed on 2026-04-17. There is no indication of this vulnerability being actively exploited at the time of writing. The EPSS score is pending evaluation. No public proof-of-concept (PoC) code has been released. This vulnerability is not currently listed on the CISA KEV catalog.
Organizations using monetr versions 1.12.3 and below, particularly those relying on Stripe webhooks for integrations, are at risk. Shared hosting environments where multiple users share the same server resources are especially vulnerable, as a single attacker could impact all users on the host.
• linux / server:
journalctl -u monetr -g "Stripe webhook" | grep -i "memory allocation"• generic web:
curl -v -X POST -d "$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 100000)" https://your-monetr-instance/stripe-webhookInspect the server's memory usage during the curl request. Excessive memory consumption indicates potential exploitation.
disclosure
Exploit-Status
EPSS
0.18% (40% Perzentil)
CISA SSVC
The recommended mitigation for CVE-2026-40481 is to immediately upgrade Monetr to version 1.12.4 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds. One approach is to configure a reverse proxy or WAF (Web Application Firewall) to limit the maximum size of POST requests allowed to the Stripe webhook endpoint. Specifically, set a maximum request body size that is significantly smaller than the server's available memory. Additionally, review and potentially adjust the server's memory allocation settings to ensure sufficient resources are available for normal operation. After upgrading, confirm the fix by sending a large POST request to the webhook endpoint and verifying that memory usage remains within acceptable limits.
Actualice a la versión 1.12.4 o posterior para mitigar el problema. Si no puede actualizar inmediatamente, configure un proxy upstream para imponer un límite en el tamaño del cuerpo de la solicitud a los webhooks de Stripe.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-40481 is a denial-of-service vulnerability in monetr affecting versions 1.12.3 and below. An attacker can send oversized POST requests to the Stripe webhook endpoint, causing memory exhaustion and service disruption.
You are affected if you are running monetr version 1.12.3 or earlier and have Stripe webhooks enabled. Upgrade to version 1.12.4 to mitigate the risk.
Upgrade monetr to version 1.12.4 or later. As a temporary workaround, implement rate limiting or WAF rules to restrict the size of incoming POST requests to the Stripe webhook endpoint.
There is currently no evidence of active exploitation in the wild, but the vulnerability is relatively easy to exploit.
Refer to the monetr project's official website and release notes for the advisory and detailed information regarding the fix.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.