Please do not open GitHub issues or pull requests for security vulnerabilities - this makes the problem immediately visible to everyone, including malicious actors.
Security issues in this open-source project can be safely reported to Stripe's Vulnerability Disclosure and Reward Program. Stripe's security team will triage your report and respond according to its impact on Stripe users and systems.