CVE-2025-65017: Decidim's private data exports can lead to data leaks
(updated )
Private data exports can lead to data leaks in cases where the UUID generation causes collisions for the generated UUIDs.
The bug was introduced by #13571 and affects Decidim versions 0.30.0 or newer (currently 2025-09-23).
This issue was discovered by running the following spec several times in a row, as it can randomly fail due to this bug:
$ cd decidim-core
$ for i in {1..10}; do bundle exec rspec spec/jobs/decidim/download_your_data_export_job_spec.rb -e "deletes the" || break ; done
Run the spec as many times as needed to hit a UUID that converts to 0 through .to_i.
The UUID to zero conversion does not cause a security issue but the security issue is demonstrated with the following example.
The following code regenerates the issue by assigning a predefined UUID that will generate a collision (example assumes there are already two existing users in the system):
References
- github.com/advisories/GHSA-3cx6-j9j4-54mp
- github.com/decidim/decidim
- github.com/decidim/decidim/pull/13571
- github.com/decidim/decidim/releases/tag/v0.30.4
- github.com/decidim/decidim/releases/tag/v0.31.0
- github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp
- github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2025-65017.yml
- github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2025-65017.yml
- nvd.nist.gov/vuln/detail/CVE-2025-65017
Code Behaviors & Features
Detect and mitigate CVE-2025-65017 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →