CVE-2025-65017 in Decidim
Summary
by MITRE • 02/03/2026
Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0.31.0, the private data exports can lead to data leaks in case the UUID generation, causing collisions for the generated UUIDs. This issue has been patched in versions 0.30.4 and 0.31.0.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/09/2026
CVE-2025-65017 represents a critical vulnerability in the Decidim participatory democracy framework that exposes sensitive data through flawed UUID generation mechanisms. This vulnerability affects versions ranging from 0.30.0 to 0.30.3 and from 0.31.0.rc1 to 0.31.0, creating potential data leakage scenarios when private data exports are processed. The core technical flaw lies in the implementation of UUID generation algorithms that fail to guarantee sufficient entropy and uniqueness across concurrent export operations, leading to hash collisions that compromise data isolation. When multiple concurrent data export requests occur, the system's UUID generation mechanism may produce identical identifiers, allowing unauthorized access to private data that should remain isolated between different export operations. This vulnerability directly maps to CWE-1037, which addresses inadequate entropy in random number generation, and aligns with ATT&CK technique T1078.004 related to valid accounts and credential access. The operational impact extends beyond simple data exposure as it undermines the fundamental security assumptions of the framework's data protection mechanisms, potentially allowing attackers to correlate and aggregate private information from multiple export operations. The vulnerability demonstrates a classic weakness in cryptographic implementation where insufficient randomness leads to predictable identifiers that can be exploited to gain unauthorized access to sensitive user data. Organizations using affected Decidim versions face significant risk of privacy breaches and potential regulatory violations, particularly in jurisdictions requiring strict data protection measures. The patch implemented in versions 0.30.4 and 0.31.0 addresses this by strengthening the UUID generation algorithm to ensure proper entropy and collision resistance. Security practitioners should prioritize immediate remediation of affected systems and implement monitoring for potential exploitation attempts. The vulnerability highlights the critical importance of proper entropy management in cryptographic operations and serves as a reminder that even seemingly minor implementation flaws in security-critical components can lead to significant data exposure risks. Organizations should conduct thorough security assessments of their Decidim deployments and ensure all instances are updated to patched versions to prevent potential exploitation of this vulnerability.