Lookup for vulnerable packages by Package URL.
| Purl | pkg:gem/decidim@0.30.4 |
|---|
| Type | gem |
|---|
| Namespace | |
|---|
| Name | decidim |
|---|
| Version | 0.30.4 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | null |
|---|
| Latest_non_vulnerable_version | null |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-z21p-469r-bkfx |
| vulnerability_id |
VCID-z21p-469r-bkfx |
| summary |
Decidim's private data exports can lead to data leaks
Private data exports can lead to data leaks in cases where the UUID generation causes collisions for the generated UUIDs.
The bug was introduced by #13571 and affects Decidim versions 0.30.0 or newer (currently 2025-09-23).
This issue was discovered by running the following spec several times in a row, as it can randomly fail due to this bug:
```bash
$ cd decidim-core
$ for i in {1..10}; do bundle exec rspec spec/jobs/decidim/download_your_data_export_job_spec.rb -e "deletes the" || break ; done
```
Run the spec as many times as needed to hit a UUID that converts to `0` through `.to_i`.
The UUID to zero conversion does not cause a security issue but the security issue is demonstrated with the following example.
The following code regenerates the issue by assigning a predefined UUID that will generate a collision (example assumes there are already two existing users in the system):
```ruby |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-65017, GHSA-3cx6-j9j4-54mp
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-z21p-469r-bkfx |
|
|
|---|
| Fixing_vulnerabilities |
| 0 |
| url |
VCID-z21p-469r-bkfx |
| vulnerability_id |
VCID-z21p-469r-bkfx |
| summary |
Decidim's private data exports can lead to data leaks
Private data exports can lead to data leaks in cases where the UUID generation causes collisions for the generated UUIDs.
The bug was introduced by #13571 and affects Decidim versions 0.30.0 or newer (currently 2025-09-23).
This issue was discovered by running the following spec several times in a row, as it can randomly fail due to this bug:
```bash
$ cd decidim-core
$ for i in {1..10}; do bundle exec rspec spec/jobs/decidim/download_your_data_export_job_spec.rb -e "deletes the" || break ; done
```
Run the spec as many times as needed to hit a UUID that converts to `0` through `.to_i`.
The UUID to zero conversion does not cause a security issue but the security issue is demonstrated with the following example.
The following code regenerates the issue by assigning a predefined UUID that will generate a collision (example assumes there are already two existing users in the system):
```ruby |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-65017, GHSA-3cx6-j9j4-54mp
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-z21p-469r-bkfx |
|
|
|---|
| Risk_score | 4.0 |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.30.4 |
|---|