CVE-2025-65017

MEDIUM

Rubygems Decidim-core < 0.30.4 - Information Disclosure

Title source: rule

Description

Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0.31.0, the private data exports can lead to data leaks in case the UUID generation, causing collisions for the generated UUIDs. This issue has been patched in versions 0.30.4 and 0.31.0.

References (4)

[Vendor Advisory] https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp

[Issue Tracking] https://github.com/decidim/decidim/pull/13571

[Release Notes] https://github.com/decidim/decidim/releases/tag/v0.30.4

[Release Notes] https://github.com/decidim/decidim/releases/tag/v0.31.0

Scores

CVSS v3 6.5

EPSS 0.0004

EPSS Percentile 13.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-200 CWE-703

Status published

Products (4)

decidim/decidim 0.31.0 rc1 (2 CPE variants)

decidim/decidim 0.30.0 - 0.30.4

rubygems/decidim 0.30.0 - 0.30.4RubyGems

rubygems/decidim-core 0.30.0 - 0.30.4RubyGems

Published Feb 03, 2026

Tracked Since Feb 18, 2026