Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:gem/decidim@0.27.7
purl pkg:gem/decidim@0.27.7
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 4.0
Vulnerabilities affecting this package (2)
Vulnerability Summary Fixed by
VCID-5z34-ygv7-7fe3
Aliases:
CVE-2024-41673
GHSA-cc4g-m3g7-xmw8
0.27.8
Affected by 1 other vulnerability.
VCID-z21p-469r-bkfx
Aliases:
CVE-2025-65017
GHSA-3cx6-j9j4-54mp
Decidim's private data exports can lead to data leaks Private data exports can lead to data leaks in cases where the UUID generation causes collisions for the generated UUIDs. The bug was introduced by #13571 and affects Decidim versions 0.30.0 or newer (currently 2025-09-23). This issue was discovered by running the following spec several times in a row, as it can randomly fail due to this bug: ```bash $ cd decidim-core $ for i in {1..10}; do bundle exec rspec spec/jobs/decidim/download_your_data_export_job_spec.rb -e "deletes the" || break ; done ``` Run the spec as many times as needed to hit a UUID that converts to `0` through `.to_i`. The UUID to zero conversion does not cause a security issue but the security issue is demonstrated with the following example. The following code regenerates the issue by assigning a predefined UUID that will generate a collision (example assumes there are already two existing users in the system): ```ruby
0.30.4
Affected by 1 other vulnerability.
0.31.0
Affected by 1 other vulnerability.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-3hvb-5ur8-z3ea CVE-2024-39910
GHSA-vvqw-fqwx-mqmm

Date Actor Action Vulnerability Source VulnerableCode Version
2026-05-31T19:19:34.750267+00:00 GitLab Importer Fixing VCID-3hvb-5ur8-z3ea https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/decidim/CVE-2024-39910.yml 38.6.0
2026-05-31T10:46:05.003616+00:00 GithubOSV Importer Fixing VCID-3hvb-5ur8-z3ea https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-vvqw-fqwx-mqmm/GHSA-vvqw-fqwx-mqmm.json 38.6.0
2026-05-31T10:20:39.741671+00:00 Ruby Importer Affected by VCID-z21p-469r-bkfx https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2025-65017.yml 38.6.0
2026-05-31T10:19:53.526463+00:00 Ruby Importer Affected by VCID-5z34-ygv7-7fe3 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2024-41673.yml 38.6.0
2026-05-31T10:19:43.735363+00:00 Ruby Importer Fixing VCID-3hvb-5ur8-z3ea https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2024-39910.yml 38.6.0
2026-05-31T01:04:59.596692+00:00 GHSA Importer Affected by VCID-5z34-ygv7-7fe3 https://github.com/advisories/GHSA-cc4g-m3g7-xmw8 38.6.0
2026-05-31T01:04:50.141572+00:00 GHSA Importer Fixing VCID-3hvb-5ur8-z3ea https://github.com/advisories/GHSA-vvqw-fqwx-mqmm 38.6.0