MEDIUM · CVSS 5.5
Class vulnerability — Stripe webhook handlers without idempotency
Stripe retries failed webhook deliveries. Handlers without idempotency double-process events; attackers replay events for credit/refund manipulation.
Affects
- Any Stripe webhook handler that doesn't dedupe on event_id
What an attacker does
Attacker captures legitimate webhook event + replays. Without dedupe on event.id, the handler processes twice.
How to detect
Code review of webhook handler for event-id dedupe
How to fix
Track processed event_ids in DB; reject duplicates. See /guides/secure-stripe-webhooks.
Securie findingmedium · CVSS 5.5
CVE-2024-XXXXHow Securie catches CVE-2024-XXXX
Securie's static-rules scans webhook handlers for missing idempotency dedupe + signature verification.
Scan my repo for CVE-2024-XXXX →Securie scans every PR · free during early access