Skip to content
← Back to Vulnerability Database
CRITICALCWE-345Payment Security

Stripe Webhook Without Signature Verification

Description

Your Stripe webhook endpoint does not verify the Stripe-Signature header, allowing attackers to forge payment events.

How Vezraa Detects It

We send a test payload to your webhook endpoint and check if signature verification is properly implemented.

Real-World Impact

Fake checkout.session.completed events can grant free subscriptions, bypass payments, and trigger fulfillment of digital goods.

Fix Example

const stripe = require('stripe')(STRIPE_SECRET_KEY);
const event = stripe.webhooks.constructEvent(
  req.body,
  req.headers['stripe-signature'],
  STRIPE_WEBHOOK_SECRET
);

Affected Stacks

StripeNext.jsExpress

References

Check if your app has this vulnerability

Scan your app in 25 seconds — no install, no code access required.

Stripe Webhook Without Signature Verification — Vulnerability Database | Vezraa