GMS-2021-31: constructEvent does not verify header

May 28, 2021

Impact

Anyone verifying a Stripe webhook request via this library’s constructEvent function.

Patches

Upgrade to

Workarounds

Use await verifyHeader(...) directly instead of constructEvent.

References

https://github.com/worker-tools/stripe-webhook/issues/1

References

github.com/advisories/GHSA-4g53-vp7q-gfjv
github.com/worker-tools/stripe-webhook/security/advisories/GHSA-4g53-vp7q-gfjv

Detect and mitigate GMS-2021-31 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →