Vulnerability-Lookup

CVE-2025-65017 (GCVE-0-2025-65017)

Vulnerability from cvelistv5 – Published: 2026-02-03 15:05 – Updated: 2026-02-03 17:09

Title

Decidim's private data exports can lead to data leaks

Summary

Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0.31.0, the private data exports can lead to data leaks in case the UUID generation, causing collisions for the generated UUIDs. This issue has been patched in versions 0.30.4 and 0.31.0.

Severity ?

8.2 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
CWE-703 - Improper Check or Handling of Exceptional Conditions

Assigner

GitHub_M

References

URL

Tags

	https://github.com/decidim/decidim/security/advis…	x_refsource_CONFIRM
	https://github.com/decidim/decidim/pull/13571	x_refsource_MISC
	https://github.com/decidim/decidim/releases/tag/v0.30.4	x_refsource_MISC
	https://github.com/decidim/decidim/releases/tag/v0.31.0	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	decidim	decidim	Affected: >= 0.30.0, < 0.30.4 Affected: >= 0.31.0.r1, < 0.31.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-65017",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T17:09:13.046448Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T17:09:47.635Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "decidim",
          "vendor": "decidim",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.30.0, \u003c 0.30.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.31.0.r1, \u003c 0.31.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0.31.0, the private data exports can lead to data leaks in case the UUID generation, causing collisions for the generated UUIDs. This issue has been patched in versions 0.30.4 and 0.31.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-703",
              "description": "CWE-703: Improper Check or Handling of Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T15:05:24.738Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp"
        },
        {
          "name": "https://github.com/decidim/decidim/pull/13571",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/decidim/decidim/pull/13571"
        },
        {
          "name": "https://github.com/decidim/decidim/releases/tag/v0.30.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/decidim/decidim/releases/tag/v0.30.4"
        },
        {
          "name": "https://github.com/decidim/decidim/releases/tag/v0.31.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/decidim/decidim/releases/tag/v0.31.0"
        }
      ],
      "source": {
        "advisory": "GHSA-3cx6-j9j4-54mp",
        "discovery": "UNKNOWN"
      },
      "title": "Decidim\u0027s private data exports can lead to data leaks"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-65017",
    "datePublished": "2026-02-03T15:05:24.738Z",
    "dateReserved": "2025-11-13T15:36:51.680Z",
    "dateUpdated": "2026-02-03T17:09:47.635Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-65017\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-03T15:16:12.403\",\"lastModified\":\"2026-02-23T17:32:33.507\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0.31.0, the private data exports can lead to data leaks in case the UUID generation, causing collisions for the generated UUIDs. This issue has been patched in versions 0.30.4 and 0.31.0.\"},{\"lang\":\"es\",\"value\":\"Decidim es un framework de democracia participativa. En las versiones desde la 0.30.0 hasta antes de la 0.30.4 y desde la 0.31.0.rc1 hasta antes de la 0.31.0, las exportaciones de datos privados pueden provocar fugas de datos en caso de la generaci\u00f3n de UUID, causando colisiones para los UUID generados. Este problema ha sido parcheado en las versiones 0.30.4 y 0.31.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"},{\"lang\":\"en\",\"value\":\"CWE-703\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"0.30.0\",\"versionEndExcluding\":\"0.30.4\",\"matchCriteriaId\":\"A444B705-4D7C-4D84-B5A9-763436254801\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:decidim:decidim:0.31.0:rc1:*:*:*:ruby:*:*\",\"matchCriteriaId\":\"91A8CA55-8288-4D1C-AF73-9A05EBC732F7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:decidim:decidim:0.31.0:rc2:*:*:*:ruby:*:*\",\"matchCriteriaId\":\"713C31FA-6596-4600-9EE6-9C6EE3ABA65F\"}]}]}],\"references\":[{\"url\":\"https://github.com/decidim/decidim/pull/13571\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/decidim/decidim/releases/tag/v0.30.4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/decidim/decidim/releases/tag/v0.31.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-65017\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-03T17:09:13.046448Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-03T17:09:16.906Z\"}}], \"cna\": {\"title\": \"Decidim\u0027s private data exports can lead to data leaks\", \"source\": {\"advisory\": \"GHSA-3cx6-j9j4-54mp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"decidim\", \"product\": \"decidim\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.30.0, \u003c 0.30.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 0.31.0.r1, \u003c 0.31.0\"}]}], \"references\": [{\"url\": \"https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp\", \"name\": \"https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/decidim/decidim/pull/13571\", \"name\": \"https://github.com/decidim/decidim/pull/13571\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/decidim/decidim/releases/tag/v0.30.4\", \"name\": \"https://github.com/decidim/decidim/releases/tag/v0.30.4\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/decidim/decidim/releases/tag/v0.31.0\", \"name\": \"https://github.com/decidim/decidim/releases/tag/v0.31.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0.31.0, the private data exports can lead to data leaks in case the UUID generation, causing collisions for the generated UUIDs. This issue has been patched in versions 0.30.4 and 0.31.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-703\", \"description\": \"CWE-703: Improper Check or Handling of Exceptional Conditions\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-03T15:05:24.738Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-65017\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-03T17:09:47.635Z\", \"dateReserved\": \"2025-11-13T15:36:51.680Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-03T15:05:24.738Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2025-65017

Vulnerability from fkie_nvd - Published: 2026-02-03 15:16 - Updated: 2026-02-23 17:32

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/decidim/decidim/pull/13571	Issue Tracking, Patch
security-advisories@github.com	https://github.com/decidim/decidim/releases/tag/v0.30.4	Release Notes
security-advisories@github.com	https://github.com/decidim/decidim/releases/tag/v0.31.0	Release Notes
security-advisories@github.com	https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp	Vendor Advisory

Impacted products

Vendor	Product	Version
decidim	decidim	*
decidim	decidim	0.31.0
decidim	decidim	0.31.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "A444B705-4D7C-4D84-B5A9-763436254801",
              "versionEndExcluding": "0.30.4",
              "versionStartIncluding": "0.30.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:decidim:decidim:0.31.0:rc1:*:*:*:ruby:*:*",
              "matchCriteriaId": "91A8CA55-8288-4D1C-AF73-9A05EBC732F7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:decidim:decidim:0.31.0:rc2:*:*:*:ruby:*:*",
              "matchCriteriaId": "713C31FA-6596-4600-9EE6-9C6EE3ABA65F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0.31.0, the private data exports can lead to data leaks in case the UUID generation, causing collisions for the generated UUIDs. This issue has been patched in versions 0.30.4 and 0.31.0."
    },
    {
      "lang": "es",
      "value": "Decidim es un framework de democracia participativa. En las versiones desde la 0.30.0 hasta antes de la 0.30.4 y desde la 0.31.0.rc1 hasta antes de la 0.31.0, las exportaciones de datos privados pueden provocar fugas de datos en caso de la generaci\u00f3n de UUID, causando colisiones para los UUID generados. Este problema ha sido parcheado en las versiones 0.30.4 y 0.31.0."
    }
  ],
  "id": "CVE-2025-65017",
  "lastModified": "2026-02-23T17:32:33.507",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-03T15:16:12.403",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/decidim/decidim/pull/13571"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/decidim/decidim/releases/tag/v0.30.4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/decidim/decidim/releases/tag/v0.31.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        },
        {
          "lang": "en",
          "value": "CWE-703"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-3CX6-J9J4-54MP

Vulnerability from github – Published: 2026-02-03 17:21 – Updated: 2026-02-08 01:01

Summary

Decidim's private data exports can lead to data leaks

Details

Impact

Private data exports can lead to data leaks in cases where the UUID generation causes collisions for the generated UUIDs.

The bug was introduced by #13571 and affects Decidim versions 0.30.0 or newer (currently 2025-09-23).

This issue was discovered by running the following spec several times in a row, as it can randomly fail due to this bug:

$ cd decidim-core
$ for i in {1..10}; do bundle exec rspec spec/jobs/decidim/download_your_data_export_job_spec.rb -e "deletes the" || break ; done

Run the spec as many times as needed to hit a UUID that converts to 0 through .to_i.

The UUID to zero conversion does not cause a security issue but the security issue is demonstrated with the following example.

The following code regenerates the issue by assigning a predefined UUID that will generate a collision (example assumes there are already two existing users in the system):

# Create the ZIP buffers to be stored
buffer1 = Zip::OutputStream.write_buffer do |out|
  out.put_next_entry("admin.txt")
  out.write "Hello, admin!"
end
buffer1.rewind
buffer2 = Zip::OutputStream.write_buffer do |out|
  out.put_next_entry("user.txt")
  out.write "Hello, user!"
end
buffer2.rewind

# Create the private exports with a predefined IDs
user1 = Decidim::User.find(1)
export = user1.private_exports.build
export.id = "0210ae70-482b-4671-b758-35e13e0097a9"
export.export_type = "download_your_data"
export.file.attach(io: buffer1, filename: "foobar.zip", content_type: "application/zip")
export.expires_at = Decidim.download_your_data_expiry_time.from_now
export.metadata = {}
export.save!


user2 = Decidim::User.find(2)
export = user2.private_exports.build
export.id = "0210d2df-a0c7-40aa-ad97-2dae5083e3b8"
export.export_type = "download_your_data"
export.file.attach(io: buffer2, filename: "foobar.zip", content_type: "application/zip")
export.expires_at = Decidim.download_your_data_expiry_time.from_now
export.metadata = {}
export.save!

Expect to see an error in the situation.

Now, login as user with ID 1, go to /download_your_data, click "Download file" from the export and expect to see the data that should be attached to user with ID 2. This is an artificially replicated situation with the predefined UUIDs but it can easily happen in real situations.

The reason for the test case failure can be replicated in case you change the export ID to export.id = "e9540f96-9e3d-4abe-8c2a-6c338d85a684". This would return 0 through .to_s

After attaching that ID, you can test if the file is available for the export:

user.private_exports.last.file.attached?
=> false
user.private_exports.last.file.blob
=> nil

Note that this fails with such UUID as shown in the example and could easily lead to collisions in case the UUID starts with a number. E.g. UUID "0210ae70-482b-4671-b758-35e13e0097a9" would convert to 210 through .to_s. Therefore, if someone else has a "private" export with the prefixes "00000210", "0000210", "000210", "00210", "0210" or "210", that would cause a collision and the file could be attached to the wrong private export.

Theoretical chance of collision (the reality depends on the UUID generation algorithm):

Potential combinations of the UUID first part (8 characters hex): 16^8
Potentially colliding character combinations (8 numbers characters in the range of 0-9): 10^8
10^8 / 16^8 ≈ 2.3% (23 / 1000 users)

The root cause is that the class Decidim::PrivateExport defines an ActiveStorage relation to file and the table active_storage_attachments stores the related record_id as bigint which causes the conversion to happen.

Workarounds

Fully disable the private exports feature until a patch is available.

Severity ?

8.2 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "decidim-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.30.0"
            },
            {
              "fixed": "0.30.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "decidim"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.30.0"
            },
            {
              "fixed": "0.30.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-65017"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-703"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-03T17:21:17Z",
    "nvd_published_at": "2026-02-03T15:16:12Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nPrivate data exports can lead to data leaks in cases where the UUID generation causes collisions for the generated UUIDs.\n\nThe bug was introduced by #13571 and affects Decidim versions 0.30.0 or newer (currently 2025-09-23).\n\nThis issue  was discovered by running the following spec several times in a row, as it can randomly fail due to this bug:\n\n```bash\n$ cd decidim-core\n$ for i in {1..10}; do bundle exec rspec spec/jobs/decidim/download_your_data_export_job_spec.rb -e \"deletes the\" || break ; done\n```\n\nRun the spec as many times as needed to hit a UUID that converts to `0` through `.to_i`.\n\nThe UUID to zero conversion does not cause a security issue but the security issue is demonstrated with the following example.\n\nThe following code regenerates the issue by assigning a predefined UUID that will generate a collision (example assumes there are already two existing users in the system):\n\n```ruby\n# Create the ZIP buffers to be stored\nbuffer1 = Zip::OutputStream.write_buffer do |out|\n  out.put_next_entry(\"admin.txt\")\n  out.write \"Hello, admin!\"\nend\nbuffer1.rewind\nbuffer2 = Zip::OutputStream.write_buffer do |out|\n  out.put_next_entry(\"user.txt\")\n  out.write \"Hello, user!\"\nend\nbuffer2.rewind\n\n# Create the private exports with a predefined IDs\nuser1 = Decidim::User.find(1)\nexport = user1.private_exports.build\nexport.id = \"0210ae70-482b-4671-b758-35e13e0097a9\"\nexport.export_type = \"download_your_data\"\nexport.file.attach(io: buffer1, filename: \"foobar.zip\", content_type: \"application/zip\")\nexport.expires_at = Decidim.download_your_data_expiry_time.from_now\nexport.metadata = {}\nexport.save!\n\n\nuser2 = Decidim::User.find(2)\nexport = user2.private_exports.build\nexport.id = \"0210d2df-a0c7-40aa-ad97-2dae5083e3b8\"\nexport.export_type = \"download_your_data\"\nexport.file.attach(io: buffer2, filename: \"foobar.zip\", content_type: \"application/zip\")\nexport.expires_at = Decidim.download_your_data_expiry_time.from_now\nexport.metadata = {}\nexport.save!\n```\n\nExpect to see an error in the situation.\n\nNow, login as user with ID 1, go to `/download_your_data`, click \"Download file\" from the export and expect to see the data that should be attached to user with ID 2. This is an artificially replicated situation with the predefined UUIDs but it can easily happen in real situations.\n\nThe reason for the test case failure can be replicated in case you change the export ID to `export.id = \"e9540f96-9e3d-4abe-8c2a-6c338d85a684\"`. This would return `0` through `.to_s`\n\nAfter attaching that ID, you can test if the file is available for the export:\n\n```ruby\nuser.private_exports.last.file.attached?\n=\u003e false\nuser.private_exports.last.file.blob\n=\u003e nil\n```\n\nNote that this fails with such UUID as shown in the example and could easily lead to collisions in case the UUID starts with a number. E.g. UUID `\"0210ae70-482b-4671-b758-35e13e0097a9\"` would convert to `210` through `.to_s`. Therefore, if someone else has a \"private\" export with the prefixes \"00000210\", \"0000210\", \"000210\", \"00210\", \"0210\" or \"210\", that would cause a collision and the file could be attached to the wrong private export.\n\nTheoretical chance of collision (the reality depends on the UUID generation algorithm):\n\n- Potential combinations of the UUID first part (8 characters hex): 16^8\n- Potentially colliding character combinations (8 numbers characters in the range of 0-9): 10^8\n- 10^8 / 16^8 \u2248 2.3% (23 / 1000 users)\n\nThe root cause is that the class `Decidim::PrivateExport` defines an ActiveStorage relation to `file` and the table `active_storage_attachments` stores the related `record_id` as `bigint` which causes the conversion to happen.\n\n### Workarounds\nFully disable the private exports feature until a patch is available.",
  "id": "GHSA-3cx6-j9j4-54mp",
  "modified": "2026-02-08T01:01:36Z",
  "published": "2026-02-03T17:21:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65017"
    },
    {
      "type": "WEB",
      "url": "https://github.com/decidim/decidim/pull/13571"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/decidim/decidim"
    },
    {
      "type": "WEB",
      "url": "https://github.com/decidim/decidim/releases/tag/v0.30.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/decidim/decidim/releases/tag/v0.31.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2025-65017.yml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2025-65017.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Decidim\u0027s private data exports can lead to data leaks"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-65017 (GCVE-0-2025-65017)

FKIE_CVE-2025-65017

GHSA-3CX6-J9J4-54MP

Impact

Workarounds

Tags

Sightings

Nomenclature