Login Sign Up

CVE-2025-65017

6.5 MEDIUM

📋 TL;DR

This vulnerability in Decidim's private data export feature allows UUID collisions that could lead to unauthorized access to sensitive user data. Organizations using Decidim versions 0.30.0-0.30.3 or 0.31.0.rc1 are affected, potentially exposing private participant information.

💻 Affected Systems

Products:
  • Decidim
Versions: 0.30.0 to 0.30.3, and 0.31.0.rc1
Operating Systems: Any OS running Decidim
Default Config Vulnerable: ⚠️ Yes
Notes: All Decidim installations with private data export functionality enabled are vulnerable.

📦 What is this software?

Decidim by Decidim

View all CVEs affecting Decidim →

Decidim by Decidim

View all CVEs affecting Decidim →

Decidim by Decidim

View all CVEs affecting Decidim →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access all private data exports, exposing sensitive participant information including personal details, voting records, and confidential discussions.

🟠

Likely Case

Partial data leakage where some private exports become accessible to unauthorized users due to UUID collisions.

🟢

If Mitigated

No data leakage occurs as proper UUID generation ensures unique, non-colliding identifiers for each export.

🌐 Internet-Facing: HIGH - Decidim instances are typically internet-facing participatory platforms, making them accessible to potential attackers.
🏢 Internal Only: MEDIUM - Even internal instances could be compromised by insider threats or compromised accounts.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires understanding of UUID generation collisions and access to the Decidim instance.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.30.4 or 0.31.0

Vendor Advisory: https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp

Restart Required: Yes

Instructions:

1. Backup your Decidim database and application. 2. Update Gemfile to require 'decidim' version '~> 0.30.4' or '~> 0.31.0'. 3. Run 'bundle update decidim'. 4. Run database migrations if needed. 5. Restart the application server.

🔧 Temporary Workarounds

Disable Private Data Exports

all

Temporarily disable the private data export functionality to prevent data leakage.

# Configure Decidim to disable exports in config/initializers/decidim.rb
config.exports = { enabled: false }

🧯 If You Can't Patch

  • Implement strict access controls and monitoring for data export functionality
  • Enable detailed logging for all data export activities and review regularly

🔍 How to Verify

Check if Vulnerable:

Check your Gemfile.lock for Decidim version: grep -i decidim Gemfile.lock

Check Version:

grep -A2 -B2 decidim Gemfile.lock | grep -E 'version|decidim'

Verify Fix Applied:

Verify the updated version in Gemfile.lock shows 0.30.4 or higher, or 0.31.0 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to data export endpoints
  • Multiple failed UUID generation attempts
  • Unexpected successful data export downloads

Network Indicators:

  • Unusual traffic to /exports or similar data export endpoints
  • Multiple requests for the same export UUID

SIEM Query:

source="decidim_logs" AND (uri_path="/exports" OR message="UUID collision" OR message="export access")

📊 Metadata

CVE ID: CVE-2025-65017
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-200
EPSS Score: 0.05% exploit probability (14.4th percentile)
Published: February 3, 2026
Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65017, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)