CVE-2025-65017: Decidim's private data exports can lead to data leaks
Private data exports can lead to data leaks in cases where the UUID generation causes collisions for the generated UUIDs.
The bug was introduced by #13571 and affects Decidim versions 0.30.0 or newer (currently 2025-09-23).
This issue was discovered by running the following spec several times in a row, as it can randomly fail due to this bug:
$ cd decidim-core
$ for i in {1..10}; do bundle exec rspec spec/jobs/decidim/download_your_data_export_job_spec.rb -e "deletes the" || break ; done
Run the spec as many times as needed to hit a UUID that converts to 0 through .to_i.
The UUID to zero conversion does not cause a security issue but the security issue is demonstrated with the following example.
The following code regenerates the issue by assigning a predefined UUID that will generate a collision (example assumes there are already two existing users in the system):
References
- github.com/advisories/GHSA-3cx6-j9j4-54mp
- github.com/decidim/decidim
- github.com/decidim/decidim/pull/13571
- github.com/decidim/decidim/releases/tag/v0.30.4
- github.com/decidim/decidim/releases/tag/v0.31.0
- github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp
- nvd.nist.gov/vuln/detail/CVE-2025-65017
Code Behaviors & Features
Detect and mitigate CVE-2025-65017 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →