VulnerableCode Package Details - pkg:gem/decidim-core@0.31.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-z21p-469r-bkfx Aliases: CVE-2025-65017 GHSA-3cx6-j9j4-54mp	Decidim's private data exports can lead to data leaks Private data exports can lead to data leaks in cases where the UUID generation causes collisions for the generated UUIDs. The bug was introduced by #13571 and affects Decidim versions 0.30.0 or newer (currently 2025-09-23). This issue was discovered by running the following spec several times in a row, as it can randomly fail due to this bug: ```bash $ cd decidim-core $ for i in {1..10}; do bundle exec rspec spec/jobs/decidim/download_your_data_export_job_spec.rb -e "deletes the" \|\| break ; done ``` Run the spec as many times as needed to hit a UUID that converts to `0` through `.to_i`. The UUID to zero conversion does not cause a security issue but the security issue is demonstrated with the following example. The following code regenerates the issue by assigning a predefined UUID that will generate a collision (example assumes there are already two existing users in the system): ```ruby	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-z21p-469r-bkfx
Aliases:
CVE-2025-65017
GHSA-3cx6-j9j4-54mp

Decidim's private data exports can lead to data leaks Private data exports can lead to data leaks in cases where the UUID generation causes collisions for the generated UUIDs. The bug was introduced by #13571 and affects Decidim versions 0.30.0 or newer (currently 2025-09-23). This issue was discovered by running the following spec several times in a row, as it can randomly fail due to this bug: ```bash $ cd decidim-core $ for i in {1..10}; do bundle exec rspec spec/jobs/decidim/download_your_data_export_job_spec.rb -e "deletes the" || break ; done ``` Run the spec as many times as needed to hit a UUID that converts to `0` through `.to_i`. The UUID to zero conversion does not cause a security issue but the security issue is demonstrated with the following example. The following code regenerates the issue by assigning a predefined UUID that will generate a collision (example assumes there are already two existing users in the system): ```ruby

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
VCID-m6gy-ubmr-x7ak		CVE-2026-23891 GHSA-fc46-r95f-hq7g
VCID-uzes-rhdk-cbfx		CVE-2026-40869 GHSA-w5xj-99cg-rccm

Vulnerability

Summary

Aliases

VCID-m6gy-ubmr-x7ak

CVE-2026-23891
GHSA-fc46-r95f-hq7g

VCID-uzes-rhdk-cbfx

CVE-2026-40869
GHSA-w5xj-99cg-rccm

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-01T10:45:07.488424+00:00	GitLab Importer	Fixing	VCID-uzes-rhdk-cbfx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/decidim-core/CVE-2026-40869.yml	38.6.0
2026-06-01T10:42:44.316989+00:00	GitLab Importer	Fixing	VCID-m6gy-ubmr-x7ak	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/decidim-core/CVE-2026-23891.yml	38.6.0
2026-05-31T21:39:23.061149+00:00	GHSA Importer	Fixing	VCID-uzes-rhdk-cbfx	https://github.com/advisories/GHSA-w5xj-99cg-rccm	38.6.0
2026-05-31T21:39:13.499110+00:00	GHSA Importer	Fixing	VCID-m6gy-ubmr-x7ak	https://github.com/advisories/GHSA-fc46-r95f-hq7g	38.6.0
2026-05-31T10:51:52.711664+00:00	GithubOSV Importer	Fixing	VCID-m6gy-ubmr-x7ak	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-fc46-r95f-hq7g/GHSA-fc46-r95f-hq7g.json	38.6.0
2026-05-31T10:51:12.309540+00:00	GithubOSV Importer	Fixing	VCID-uzes-rhdk-cbfx	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w5xj-99cg-rccm/GHSA-w5xj-99cg-rccm.json	38.6.0
2026-05-31T10:20:39.226510+00:00	Ruby Importer	Affected by	VCID-z21p-469r-bkfx	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2025-65017.yml	38.6.0