Executive Summary

CVE-2025-65017 is a high-severity vulnerability in the Decidim participatory democracy framework affecting versions 0.30.0 to before 0.30.4 and 0.31.0.rc1 to before 0.31.0. The issue arises from collisions in UUID generation used for private data exports.

Specifically, UUIDs assigned to private exports can collide when converted to integers due to the storage of related ActiveStorage attachment record IDs as bigints in the database. UUIDs starting with numeric characters can convert to the same integer value, causing collisions.

This collision can cause a user to download private export files belonging to another user, leading to unauthorized data disclosure.

The root cause is a mismatch between UUID string IDs and the bigint type used in the active_storage_attachments table, leading to improper conversions and collisions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability severely impacts confidentiality by allowing unauthorized users to access private data exports belonging to other users.

Integrity and availability are not affected by this issue.

Exploitation requires low privileges and low attack complexity but does require user interaction, such as logging in and downloading data.

The attack vector is network-based, meaning the vulnerability can be exploited remotely.

Useful 0 Not Useful 0

Detection Guidance

The vulnerability arises from UUID collisions in private data exports within Decidim versions 0.30.0 to before 0.30.4 and 0.31.0.rc1 to before 0.31.0. Detection involves identifying if your system is running a vulnerable Decidim version and if private exports are enabled.

There are no specific detection commands provided in the available resources. However, the issue was demonstrated by running test specifications multiple times to observe random failures caused by UUID collisions, and by manually assigning predefined UUIDs to exports to trigger collisions.

A practical approach to detection could include checking the Decidim version installed (e.g., by inspecting the Gemfile.lock or running `bundle list | grep decidim`), and verifying if private exports are enabled and in use.

Since the UUID collision occurs due to improper conversion of UUID strings to integers in the active_storage_attachments table, inspecting the database for duplicate or colliding UUIDs in private export records might help detect the issue, but no specific SQL queries or commands are provided.

Useful 0 Not Useful 0

Mitigation Strategies

The recommended immediate mitigation is to fully disable the private exports feature until a patched version of Decidim is installed.

Upgrading to Decidim versions 0.30.4 or 0.31.0 and later will patch this vulnerability.

For users unable to upgrade immediately, disabling private exports prevents the UUID collision issue and unauthorized data leaks.

After upgrading, it is advised to run the provided upgrade tasks such as `bin/rails decidim:upgrade:clean:remove_private_exports_attachments` to expire previously generated private export files and ensure data consistency.

Backing up your database, application code, and static files before upgrading is also strongly recommended.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Decidim causes collisions in UUID generation for private data exports, leading to unauthorized access to private user data exports. This results in a severe confidentiality breach where users can download private export files belonging to other users.

Such unauthorized data disclosure directly impacts compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive data confidentiality and access.

Because the vulnerability allows low-privilege users to access private data of others, it increases the risk of non-compliance with these standards, potentially leading to regulatory penalties and loss of trust.

Mitigation involves disabling the private exports feature until patched versions (0.30.4 and 0.31.0) are applied, which is critical to maintaining compliance and protecting user data privacy.

Useful 0 Not Useful 0