CVE-2025-65017
MEDIUMDecidim 0.30.0-0.30.3 and 0.31.0.rc1 - Unauthorized Data Exposure via UUID Collision
Title source: llmDescription
Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0.31.0, the private data exports can lead to data leaks in case the UUID generation, causing collisions for the generated UUIDs. This issue has been patched in versions 0.30.4 and 0.31.0.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp
Issue Tracking x_refsource_misc
https://github.com/decidim/decidim/pull/13571
Release Notes x_refsource_misc
https://github.com/decidim/decidim/releases/tag/v0.30.4
Release Notes x_refsource_misc
https://github.com/decidim/decidim/releases/tag/v0.31.0
Scores
CVSS v3
6.5
EPSS
0.0026
EPSS Percentile
17.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-200
CWE-703
Status
published
Products (4)
decidim/decidim
0.31.0 rc1 (2 CPE variants)
decidim/decidim
0.30.0 - 0.30.4
rubygems/decidim
0.30.0 - 0.30.4RubyGems
rubygems/decidim-core
0.30.0 - 0.30.4RubyGems
Published
Feb 03, 2026
Tracked Since
Feb 18, 2026