Skip to content
← Back to Vulnerability Database
CRITICALCWE-345Payment Security

Razorpay Webhook Without Signature Verification

Description

Your Razorpay webhook endpoint does not verify the webhook signature, allowing attackers to forge payment events.

How Vezraa Detects It

We check your webhook endpoint's response to a forged payload. If it returns 200 without verifying, we flag it.

Real-World Impact

Attackers can send fake payment-success events and gain access to paid features, digital goods, or subscriptions without paying.

Fix Example

const crypto = require('crypto');
const expected = crypto
  .createHmac('sha256', RAZORPAY_WEBHOOK_SECRET)
  .update(JSON.stringify(req.body))
  .digest('hex');
if (expected !== req.headers['x-razorpay-signature']) {
  return res.status(400).send('Invalid signature');
}

Affected Stacks

RazorpayNext.jsExpress

References

Check if your app has this vulnerability

Scan your app in 25 seconds — no install, no code access required.

Razorpay Webhook Without Signature Verification — Vulnerability Database | Vezraa