CVE-2025-65020 Overview
CVE-2025-65020 is an Insecure Direct Object Reference (IDOR) vulnerability in Rallly, an open-source scheduling and collaboration tool. The flaw resides in the poll duplication endpoint /api/trpc/polls.duplicate and affects all versions prior to 4.5.4. Any authenticated user can duplicate polls belonging to other users by tampering with the pollId parameter. This bypasses access control and enables unauthorized users to clone private or administrative polls. Maintainer lukevella published version 4.5.4 to remediate the issue. The vulnerability is categorized under CWE-285: Improper Authorization.
Critical Impact
Authenticated attackers can clone any poll in the system, exposing private scheduling data and administrative content without the owner's consent.
Affected Products
- Rallly versions prior to 4.5.4
- Self-hosted Rallly deployments exposing the tRPC API
- Rallly instances with open user registration enabled
Discovery Timeline
- 2025-11-19 - CVE-2025-65020 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-65020
Vulnerability Analysis
Rallly exposes a tRPC route at /api/trpc/polls.duplicate that accepts a pollId parameter identifying the poll to clone. In versions prior to 4.5.4, the handler validates that the request comes from an authenticated session but does not confirm that the calling user owns the referenced pollId. As a result, any logged-in user can submit an arbitrary pollId value and receive a duplicate of a poll owned by another user.
The duplicated poll is created under the attacker's account, granting the attacker full read access to questions, options, participant names, comments, and any embedded metadata from the original poll. Attackers can enumerate poll identifiers or reuse leaked identifiers from shared links to clone targeted polls at will.
Root Cause
The root cause is a missing authorization check between the authenticated principal and the target resource. The endpoint conflates authentication with authorization, assuming that any authenticated user has the right to duplicate any referenced poll. The handler does not compare the poll's userId (or organization membership) against the session subject before performing the clone operation.
Attack Vector
Exploitation requires only a valid Rallly account and network access to the target instance. An attacker logs into the application, obtains a valid session, and issues a POST request to /api/trpc/polls.duplicate with the victim's pollId in the request body. The server returns a newly created poll under the attacker's ownership containing the victim's content. No user interaction from the victim is needed, and no elevated privileges are required. See the GitHub Security Advisory GHSA-44w7-pf32-gv5m for the vendor's technical write-up.
Detection Methods for CVE-2025-65020
Indicators of Compromise
- POST requests to /api/trpc/polls.duplicate from user accounts that do not own the referenced pollId
- Sudden growth in duplicated polls under low-activity or newly created accounts
- Access log entries where the pollId parameter references resources outside the requesting user's history
Detection Strategies
- Correlate application logs to compare the authenticated session's userId against the userId of the poll referenced by each duplication request.
- Deploy database auditing on the polls table to flag rows where the createdBy field for a duplicate does not match the original poll's owner.
- Baseline normal poll duplication behavior per user and alert on outliers such as bulk duplication or duplication of unrelated polls.
Monitoring Recommendations
- Forward Rallly application and reverse proxy logs to a centralized log platform for retention and query.
- Enable audit logging on the tRPC layer to capture the caller identity, target pollId, and outcome for every polls.duplicate invocation.
- Monitor for account creation spikes followed by immediate calls to the duplication endpoint, which may indicate automated abuse.
How to Mitigate CVE-2025-65020
Immediate Actions Required
- Upgrade all Rallly instances to version 4.5.4 or later without delay.
- Audit existing polls for unexpected duplicates and remove unauthorized clones.
- Rotate any sensitive information that may have been embedded in poll questions, options, or comments prior to patching.
Patch Information
The fix is included in Rallly v4.5.4, which adds an ownership check to the polls.duplicate handler so that only the poll owner may duplicate a poll. Release notes and source changes are available in the Rallly v4.5.4 release. Administrators running containerized deployments should pull the updated image and redeploy.
Workarounds
- Restrict Rallly access to trusted users only by disabling open registration until the upgrade is applied.
- Place the application behind an authenticated reverse proxy that blocks direct access to /api/trpc/polls.duplicate from untrusted principals.
- Temporarily remove or firewall the duplication route at the ingress layer if patching cannot be completed immediately.
# Upgrade Rallly to the patched version
docker pull lukevella/rallly:4.5.4
docker stop rallly && docker rm rallly
docker run -d --name rallly --env-file .env -p 3000:3000 lukevella/rallly:4.5.4
# Optional: block the vulnerable route at nginx until upgrade completes
# location /api/trpc/polls.duplicate { return 403; }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

