Listen to this Post
The vulnerability occurs in the `Decidim::PrivateExport` class which uses UUIDs as primary keys. When an export is created, its file is attached via ActiveStorage. The `active_storage_attachments` table stores the associated record’s ID in a `bigint` column named record_id. When ActiveStorage retrieves the file, it queries using this ID. The flaw is that a UUID (string) is implicitly converted to an integer via `.to_i` for this query. For example, UUID `”0210ae70-…”` converts to integer 210. Any other export whose UUID’s leading numeric substring converts to the same integer (e.g., "000210ae-...", "210abcde-...") will cause a collision in the query. This results in a user downloading another user’s private data export, leading to a data leak. The collision probability is significantly elevated versus random UUID guessing.
Platform: Decidim
Version: >=0.30.0
Vulnerability : UUID Collision
Severity: Critical
date: 2025-09-23
Prediction: 2024-11-15
What Undercode Say:
cd decidim-core
for i in {1..10}; do bundle exec rspec spec/jobs/decidim/download_your_data_export_job_spec.rb -e "deletes the" || break ; done
export.id = "0210ae70-482b-4671-b758-35e13e0097a9" user.private_exports.last.file.attached? => false
How Exploit:
Attacker requests data export. System-generated UUID may collide with another user’s export ID due to integer conversion. Attacker downloads file containing victim’s private data.
Protection from this CVE:
Disable private exports. Apply patch modifying ID storage/query to use full UUID string.
Impact:
User Data Leak.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

