constructEvent does not verify header

2021-05-2819:18:28

Google

osv.dev

stripe

webhook

vulnerability

patch

upgrade

verify

header

function

library

workaround

issue

software

Anyone verifying a Stripe webhook request via this library’s constructEvent function.

Upgrade to 1.1.4.

Use await verifyHeader(...) directly instead of constructEvent.

References

github.com/worker-tools/stripe-webhook/security/advisories/GHSA-4g53-vp7q-gfjv