CVE-2025-65017

MEDIUM

Rubygems Decidim-core < 0.30.4 - Information Disclosure

Title source: rule

Description

Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0.31.0, the private data exports can lead to data leaks in case the UUID generation, causing collisions for the generated UUIDs. This issue has been patched in versions 0.30.4 and 0.31.0.

References (4)

[Issue Tracking] https://github.com/decidim/decidim/pull/13571

[Vendor Advisory] https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp

[Release Notes] https://github.com/decidim/decidim/releases/tag/v0.30.4

[Release Notes] https://github.com/decidim/decidim/releases/tag/v0.31.0

Scores

CVSS v3 6.5

EPSS 0.0004

EPSS Percentile 11.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-200 CWE-703

Status published

Affected Products (5)

rubygems/decidim-core < 0.30.4RubyGems

rubygems/decidim < 0.30.4RubyGems

decidim/decidim < 0.30.4

decidim/decidim

decidim/decidim

Timeline

Published Feb 03, 2026

Tracked Since Feb 18, 2026