DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-65017: The GDPR Paradox: How Decidim's Privacy Export Leaked Everyone's Data

#security #cve #cybersecurity

The GDPR Paradox: How Decidim's Privacy Export Leaked Everyone's Data

Vulnerability ID: CVE-2025-65017
CVSS Score: 8.2
Published: 2026-02-03

A critical type confusion vulnerability in Decidim's 'Download Your Data' feature turned a privacy compliance tool into a data leak hose. Due to a mismatch between Ruby on Rails' ActiveStorage schema and Decidim's use of UUIDs, unique export IDs were silently cast to integers, causing massive database collisions. This allowed users requesting their own data to accidentally download full data dumps belonging to other users.

TL;DR

Decidim used UUIDs for private exports, but the database column expected Integers. Ruby cast the UUIDs (e.g., 'a1b2...') to '0', causing different users' files to overwrite each other or be served interchangeably. Attackers could simply request their own data and receive someone else's sensitive ZIP file.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-200 (Info Disclosure)
  • CWE ID: CWE-703 (Improper Check of Unusual Conditions)
  • CVSS v4.0: 8.2 (High)
  • Attack Vector: Network
  • Privileges: Low (Any User)
  • Impact: Confidentiality Loss (Total for affected scope)

Affected Systems

  • Decidim Framework
  • Decidim: >= 0.30.0 < 0.30.4 (Fixed in: 0.30.4)
  • Decidim: >= 0.31.0.rc1 < 0.31.0 (Fixed in: 0.31.0)

Code Analysis

Commit: 13b4c99

Fix PrivateExport attachment handling by migrating primary key to Integer

class PrivateExport < ApplicationRecord
-  self.primary_key = :id
+  # Reverted to standard Integer PK
 end
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Schema Validation: Ensure polymorphic associations use compatible types (UUID vs BigInt).
  • Strict Typing: Disable silent type casting in database adapters where possible.
  • Defense in Depth: Scope all file retrievals strictly to the authenticated user object.

Remediation Steps:

  1. Upgrade Decidim to version 0.30.4 or 0.31.0 immediately.
  2. Run the provided database migrations to alter the PrivateExport table structure.
  3. Execute the cleanup rake task bin/rails decidim:upgrade:clean:remove_private_exports_attachments to delete compromised export files.
  4. Notify users that previous data exports may have failed and request they regenerate them.

References

Read the full report for CVE-2025-65017 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)