GHSA-v7xq-3wx6-fqc2: In monetr, unauthenticated Stripe webhook reads attacker-sized request bodies before signature validation

April 14, 2026

The public Stripe webhook endpoint fully reads the request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST bodies and cause substantial memory growth, leading to denial of service.

References

github.com/advisories/GHSA-v7xq-3wx6-fqc2
github.com/monetr/monetr
github.com/monetr/monetr/security/advisories/GHSA-v7xq-3wx6-fqc2

Code Behaviors & Features

Detect and mitigate GHSA-v7xq-3wx6-fqc2 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →