v5.3.2 — 12 May 2025
Type: Patch release
Breaking changes: None
Summary
This patch addresses two security vulnerabilities, a long-standing CSV encoding issue, and several Xero sync stability problems. Upgrade is strongly recommended for all customers.
Security fixes
IDOR vulnerability in invoice download endpoint
An Insecure Direct Object Reference (IDOR) vulnerability was found in the invoice PDF download endpoint. An authenticated user in one StockFlow account could, under certain conditions, download an invoice from a different account if they knew or guessed the invoice ID.
Severity: High (CVSS 7.5). Exploitability required knowing or guessing another account’s invoice IDs, which are UUIDs (128-bit random), making mass exploitation impractical. However, targeted access was possible.
Fixed: The endpoint now verifies that the invoice belongs to the requesting user’s account before serving the PDF.
Affected versions: All versions from v4.0.0 to v5.3.1.
Recommended action: Review your audit logs for any unexpected invoice download events. Contact [email protected] if you suspect unauthorised access.
Rate limiting not applied to password reset endpoint
The password reset email endpoint was not rate-limited, making it possible for an attacker to spam a user’s email inbox with reset emails, or to enumerate valid email addresses based on response timing differences.
Severity: Low (CVSS 3.7). No credentials were exposed.
Fixed: Password reset requests are now rate-limited to 5 per email address per hour and 20 per IP address per hour.
Bug fixes
CSV exports with non-ASCII characters corrupted in Excel
Product names, descriptions, and client names containing non-ASCII characters (e.g. accented characters like é, ü, ñ, or Chinese/Japanese characters) were being exported in UTF-8 without a BOM (Byte Order Mark). This caused Excel on Windows to interpret the file as Windows-1252 encoding, corrupting the characters.
Fixed: CSV exports now include a UTF-8 BOM, which Excel recognises correctly. Files opened in non-Excel tools (Google Sheets, Python, etc.) are unaffected.
Xero sync — three stability fixes
1. Sync stalling when a Xero token expired mid-batch
When syncing large batches of invoices, if the Xero OAuth token expired mid-way through, the sync would stall silently rather than refreshing the token and continuing.
Fixed: Tokens are now refreshed automatically, and the batch continues from where it left off.
2. Duplicate contacts created in Xero after a client email change
Changing a client’s email address in StockFlow caused a new contact to be created in Xero instead of updating the existing one.
Fixed: Clients are now matched to Xero contacts by a persistent StockFlow ID stored in Xero’s custom fields, not by email address alone.
3. Xero bills failing for POs with a currency different from the Xero org’s base currency
Purchase Orders in non-base currencies were generating a “Currency mismatch” error in Xero.
Fixed: The currency code is now correctly included in the bill payload.
Other fixes
- Fixed: Mobile app login loop on Android 14 when biometric authentication was enabled but no biometric data was enrolled
- Fixed: Notification emails sent to deactivated users (they should not receive emails)
- Fixed:
updated_attimestamp on product records not updating when a custom field value was changed
Notes
No database schema changes. No action required from customers beyond updating (which is automatic for SaaS accounts).