GHSA-xvp7-8vm8-xfxx: 
JavaScript vulnerability analysis and mitigation

The GoCardless components in Actualbudget (npm package @actual-app/sync-server) version 25.10.0 and earlier contain a sensitive data exposure vulnerability. The service logs responses to STDOUT using console.log and console.debug, which exposes sensitive information including GoCardless bearer tokens, account IBAN numbers, bank account numbers, account holder PII, and transaction details. This vulnerability was published on October 18, 2025, and received a moderate severity rating with a CVSS score of 4.2 (GitHub Advisory).

The vulnerability stems from debug logging functionality that prints complete API response payloads to console output. The issue exists in multiple components, specifically in the integration-bank.js and app-gocardless.js files. When GoCardless responds to requests, the service logs account properties and transaction details in JSON format. Additionally, error handling code dumps complete stack traces including authentication tokens when encountering errors such as 503 Service Unavailable responses (GitHub Advisory).

This vulnerability results in information disclosure of sensitive financial and personal data. The exposed information includes bearer tokens for GoCardless API access, account IBAN numbers, bank account numbers, account holder personal information, and detailed transaction data including payee bank information and transaction IDs. The impact is particularly concerning as the services are available both on-premises and in environments managed by third-party providers (GitHub Advisory).

A patch has been released in version 25.11.0 of the software to address this vulnerability (GitHub Advisory).