Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-65017

CVE-2025-65017: Decidim Information Disclosure Flaw

CVE-2025-65017 is an information disclosure vulnerability in Decidim that allows private data leaks through UUID collisions in data exports. This post covers the technical details, affected versions, and mitigation steps.

Published:

CVE-2025-65017 Overview

CVE-2025-65017 is an Information Disclosure vulnerability affecting Decidim, a participatory democracy framework. The vulnerability exists in the private data export functionality where improper UUID generation can lead to UUID collisions, potentially exposing sensitive user data to unauthorized parties.

Critical Impact

Private data exports may be accessed by unauthorized users due to predictable or colliding UUIDs, potentially exposing sensitive participant information in democratic processes.

Affected Products

  • Decidim versions 0.30.0 to before 0.30.4
  • Decidim versions 0.31.0.rc1 to before 0.31.0
  • Decidim deployments using private data export functionality

Discovery Timeline

  • 2026-02-03 - CVE CVE-2025-65017 published to NVD
  • 2026-02-03 - Last updated in NVD database

Technical Details for CVE-2025-65017

Vulnerability Analysis

This vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The core issue lies in the UUID generation mechanism used for private data exports within Decidim. When UUIDs are generated with insufficient entropy or using a flawed algorithm, collisions can occur where multiple export requests receive the same or predictable identifiers.

In a participatory democracy platform like Decidim, private data exports typically contain sensitive information about participants, their votes, proposals, and other democratic engagement data. When UUID collisions occur, an attacker who generates their own export request could potentially receive an identifier that matches another user's export, thereby gaining access to that user's private data.

The vulnerability is exploitable over the network and requires low-privileged access to the application (a registered user account). Some user interaction is required to trigger the export functionality. The confidentiality impact is significant as it can expose both the vulnerable system's data and potentially cascade to connected systems.

Root Cause

The root cause of this vulnerability is improper implementation of UUID generation for private data export identifiers. Secure UUID generation requires sufficient randomness and entropy to ensure that generated identifiers are unique and unpredictable. When the UUID generation algorithm fails to provide adequate randomness, it creates conditions where:

  1. Multiple export requests may receive identical UUIDs (collision)
  2. UUIDs may follow predictable patterns that attackers can enumerate
  3. Export files become accessible to users who did not create them

Attack Vector

The attack vector is network-based, requiring an authenticated user to exploit the vulnerability. An attacker would need to:

  1. Create a legitimate account on a vulnerable Decidim instance
  2. Initiate private data export requests
  3. Observe or predict UUID patterns in export URLs
  4. Attempt to access exports belonging to other users by exploiting UUID collisions or predictable generation

The vulnerability does not require complex attack chains and can be exploited with standard web requests once the attacker understands the UUID generation weakness.

The vulnerability manifests in the UUID generation mechanism for private data exports. Technical details and the specific fix can be found in the GitHub Pull Request #13571 and the GitHub Security Advisory GHSA-3cx6-j9j4-54mp.

Detection Methods for CVE-2025-65017

Indicators of Compromise

  • Multiple users receiving access to the same export file or UUID
  • Unusual patterns in export request logs showing repeated or sequential UUIDs
  • Access logs indicating users downloading exports they did not initiate
  • Reports from users about receiving incorrect or others' data in exports

Detection Strategies

  • Monitor export functionality logs for UUID collision events
  • Implement alerting on export access attempts where the requesting user differs from the export creator
  • Review application logs for anomalous patterns in private data export requests
  • Audit existing export UUIDs for duplicates or predictable sequences

Monitoring Recommendations

  • Enable detailed logging for all private data export operations
  • Set up real-time alerts for any detected UUID collisions in export functionality
  • Monitor for bulk or automated export request patterns that may indicate enumeration attempts
  • Conduct periodic audits of export access logs to identify unauthorized data access

How to Mitigate CVE-2025-65017

Immediate Actions Required

  • Upgrade Decidim to version 0.30.4 or 0.31.0 immediately
  • Review export access logs for signs of data leakage
  • Notify potentially affected users if unauthorized access is suspected
  • Temporarily disable private data export functionality if immediate patching is not possible

Patch Information

The Decidim development team has addressed this vulnerability in versions 0.30.4 and 0.31.0. The fix improves the UUID generation mechanism to prevent collisions and ensure export identifiers are cryptographically secure and unpredictable.

Patched versions are available:

For detailed patch information, refer to the GitHub Pull Request #13571.

Workarounds

  • Disable private data export functionality until patching is complete
  • Implement additional access controls to verify export ownership before serving files
  • Add rate limiting on export requests to slow potential enumeration attacks
  • Monitor and restrict export functionality to trusted user roles only
bash
# Example: Check current Decidim version
bundle show decidim

# Update Decidim in Gemfile to patched version
# For 0.30.x branch:
# gem "decidim", "~> 0.30.4"
# For 0.31.x branch:
# gem "decidim", "~> 0.31.0"

# Then run bundle update
bundle update decidim

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.