Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-65021

CVE-2025-65021: Rallly Auth Bypass Vulnerability

CVE-2025-65021 is an authentication bypass flaw in Rallly that allows any authenticated user to finalize polls they don't own by exploiting an IDOR weakness. This article covers technical details, affected versions, and fixes.

Published:

CVE-2025-65021 Overview

CVE-2025-65021 is a critical Insecure Direct Object Reference (IDOR) vulnerability discovered in Rallly, an open-source scheduling and collaboration tool. Prior to version 4.5.4, the poll finalization feature lacks proper authorization checks, allowing any authenticated user to finalize polls they do not own by manipulating the pollId parameter in requests. This unauthorized access enables attackers to convert other users' polls into events without proper authorization, potentially disrupting user workflows and causing significant data integrity and availability issues.

Critical Impact

Authenticated attackers can finalize any poll in the system regardless of ownership, leading to unauthorized data manipulation, workflow disruption, and potential denial of service for legitimate poll owners.

Affected Products

  • Rallly versions prior to 4.5.4
  • Self-hosted Rallly instances without the security patch
  • Any deployment using vulnerable poll finalization endpoints

Discovery Timeline

  • 2025-11-19 - CVE-2025-65021 published to NVD
  • 2025-11-25 - Last updated in NVD database

Technical Details for CVE-2025-65021

Vulnerability Analysis

This vulnerability represents a classic Insecure Direct Object Reference (IDOR) flaw in the poll finalization endpoint. The application fails to verify that the authenticated user making the request is the actual owner of the poll being finalized. When a user submits a request to finalize a poll, the server accepts the pollId parameter directly without validating the relationship between the requesting user and the poll resource.

The lack of authorization checks means that any authenticated user can enumerate or guess valid poll IDs and submit finalization requests for polls created by other users. Once a poll is finalized and converted to an event, this action may be irreversible or difficult to undo, causing permanent disruption to the original poll owner's scheduling workflow.

Root Cause

The root cause of CVE-2025-65021 is the absence of proper authorization validation in the poll finalization feature. The application trusts the pollId parameter provided by the client without verifying that the authenticated user has ownership or appropriate permissions to perform the finalization action. This is classified under CWE-285 (Improper Authorization), where the software does not perform proper access control checks before granting access to a protected resource or functionality.

Attack Vector

The attack is network-based and requires only basic authentication to the Rallly application. An attacker with valid credentials can exploit this vulnerability by intercepting or crafting HTTP requests to the poll finalization endpoint and modifying the pollId parameter to target polls owned by other users. The attack requires no user interaction and can be easily automated to affect multiple polls across the system.

The exploitation flow involves:

  1. Authenticating to the Rallly application with any valid user account
  2. Identifying or enumerating valid poll IDs through observation or brute-force
  3. Sending finalization requests with manipulated pollId values
  4. Successfully finalizing polls without ownership verification

Detection Methods for CVE-2025-65021

Indicators of Compromise

  • Unusual patterns of poll finalization events from single user accounts
  • Log entries showing poll finalization requests where the authenticated user differs from the poll creator
  • Spike in user complaints about unexpectedly finalized polls
  • API requests to finalization endpoints with sequential or enumerated poll IDs

Detection Strategies

  • Implement logging that captures both the authenticated user and the poll owner for all finalization requests
  • Create alerts for poll finalization events where the requesting user does not match the poll owner
  • Monitor for rapid sequential requests to the poll finalization endpoint
  • Analyze access logs for patterns indicating systematic exploitation attempts

Monitoring Recommendations

  • Enable detailed audit logging for all poll-related API endpoints
  • Set up real-time alerts for authorization anomalies in poll operations
  • Review access patterns periodically to identify potential abuse
  • Correlate user activity logs with poll ownership data to detect unauthorized access

How to Mitigate CVE-2025-65021

Immediate Actions Required

  • Upgrade Rallly to version 4.5.4 or later immediately
  • Audit existing poll finalization logs to identify potential exploitation
  • Review all recently finalized polls to verify they were authorized by legitimate owners
  • Consider temporarily disabling the poll finalization feature until patching is complete

Patch Information

The vulnerability has been addressed in Rallly version 4.5.4. The patch implements proper authorization checks to ensure that only poll owners can finalize their polls. Organizations should update to the patched version as soon as possible. For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-x7w2-g548-4qg8 and the Rallly v4.5.4 Release Notes.

Workarounds

  • Restrict access to the Rallly application to trusted users only until patching
  • Implement network-level access controls to limit exposure of the application
  • Use a web application firewall (WAF) to monitor and block suspicious poll finalization requests
  • Consider implementing additional server-side authorization checks if custom deployment allows
bash
# Update Rallly to patched version
cd /path/to/rallly
git fetch --tags
git checkout v4.5.4
npm install
npm run build
# Restart your Rallly service

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.