Plataforma
go
Componente
monetr
Corregido en
1.12.5
1.12.4
CVE-2026-40481 describes a denial-of-service vulnerability within the monetr application's Stripe webhook endpoint. This vulnerability allows a remote, unauthenticated attacker to induce substantial memory growth by sending oversized POST requests. The vulnerability impacts versions 1.12.3 and earlier, and a fix is available in version 1.12.4.
The primary impact of CVE-2026-40481 is a denial-of-service (DoS). An attacker can exploit this vulnerability by crafting and sending oversized POST requests to the monetr application's Stripe webhook endpoint. Because the application buffers the entire request body into memory before validating the Stripe signature, a sufficiently large request can exhaust available memory resources. This can lead to application crashes, service unavailability, and potentially impact other services sharing the same infrastructure. The lack of authentication means an attacker can trigger this DoS remotely without needing any credentials.
CVE-2026-40481 was publicly disclosed on 2026-04-17. There is currently no indication of active exploitation in the wild. The vulnerability is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept code is not yet available, but the vulnerability's nature makes it relatively straightforward to exploit.
Organizations using monetr versions 1.12.3 and below, particularly those relying on Stripe webhooks for integrations, are at risk. Shared hosting environments where multiple users share the same server resources are especially vulnerable, as a single attacker could impact all users on the host.
• linux / server:
journalctl -u monetr -g "Stripe webhook" | grep -i "memory allocation"• generic web:
curl -v -X POST -d "$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 100000)" https://your-monetr-instance/stripe-webhookInspect the server's memory usage during the curl request. Excessive memory consumption indicates potential exploitation.
disclosure
Estado del Exploit
EPSS
0.18% (40% percentil)
CISA SSVC
The recommended mitigation for CVE-2026-40481 is to immediately upgrade monetr to version 1.12.4 or later. This version includes a fix that prevents the excessive memory allocation. If upgrading is not immediately feasible, consider implementing rate limiting on the Stripe webhook endpoint to restrict the size and frequency of incoming POST requests. Additionally, consider implementing a WAF rule to filter out unusually large POST requests. After upgrading, confirm the fix by sending a large POST request to the webhook endpoint and verifying that memory usage remains within acceptable limits.
Actualice a la versión 1.12.4 o posterior para mitigar el problema. Si no puede actualizar inmediatamente, configure un proxy ascendente para imponer un límite en el tamaño del cuerpo de la solicitud a los webhooks de Stripe.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-40481 is a denial-of-service vulnerability in monetr affecting versions 1.12.3 and below. An attacker can send oversized POST requests to the Stripe webhook endpoint, causing memory exhaustion and service disruption.
You are affected if you are running monetr version 1.12.3 or earlier and have Stripe webhooks enabled. Upgrade to version 1.12.4 to mitigate the risk.
Upgrade monetr to version 1.12.4 or later. As a temporary workaround, implement rate limiting or WAF rules to restrict the size of incoming POST requests to the Stripe webhook endpoint.
There is currently no evidence of active exploitation in the wild, but the vulnerability is relatively easy to exploit.
Refer to the monetr project's official website and release notes for the advisory and detailed information regarding the fix.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo go.mod y te decimos al instante si estás afectado.