Vendor
A timing side-channel vulnerability in the `Pay` gem's Paddle Billing webhook signature verification component (`Pay::Webhooks::PaddleBillingController#valid_signature?` <= v11.6.1) allows an unauthenticated attacker to recover the HMAC signing secret by observing response time variations in `String#==` comparisons, enabling the forgery of arbitrary webhook events and leading to business logic abuses such as unauthorized feature provisioning or fraudulent refunds.