CVE-2025-65029 Overview
Rallly is an open-source scheduling and collaboration tool used for coordinating meetings through participant polls. Versions prior to 4.5.4 contain an Insecure Direct Object Reference (IDOR) vulnerability in the participant deletion endpoint. The endpoint authorizes deletions using only a participant ID, without verifying that the requester owns the poll or the participant record. Any authenticated user can remove arbitrary participants, including poll owners, from any poll on the system. The flaw is tracked under [CWE-285] Improper Authorization and was patched in version 4.5.4.
Critical Impact
Authenticated attackers can delete arbitrary participants from any poll, breaking the integrity and availability of scheduling data across the application.
Affected Products
- Rallly versions prior to 4.5.4
- Self-hosted Rallly deployments running vulnerable releases
- Any Rallly instance exposing the participant deletion endpoint to authenticated users
Discovery Timeline
- 2025-11-19 - CVE-2025-65029 published to NVD
- 2025-11-25 - Last updated in NVD database
Technical Details for CVE-2025-65029
Vulnerability Analysis
The vulnerability resides in the API route that handles participant removal from polls. Rallly accepts a participant identifier from the client and processes the deletion without cross-referencing the requesting user's ownership of the parent poll. An authenticated attacker can enumerate or guess participant IDs and issue deletion requests against records they do not own. The result is unauthorized modification of poll state, including the ability to remove the poll owner from their own poll.
Because the operation only requires a valid session and a target participant ID, exploitation requires no special privileges beyond standard account registration. The impact is scoped to data integrity and availability rather than confidentiality, as the endpoint does not return sensitive data to the attacker.
Root Cause
The root cause is missing authorization logic in the deletion handler. The endpoint trusts the participant ID supplied by the client as sufficient authorization context. It does not verify that the authenticated user is the owner of the participant record or the poll containing it. This pattern is a textbook IDOR, classified under [CWE-285] Improper Authorization.
Attack Vector
Exploitation occurs over the network through standard authenticated HTTP requests. An attacker registers or uses an existing account, identifies a target participant ID belonging to another user's poll, and submits a deletion request. The server processes the request and removes the participant. No user interaction from the victim is required, and the attack scales to any participant on any poll in the deployment.
No public proof-of-concept exploit code has been published. The vulnerability mechanism is described in the GitHub Security Advisory GHSA-f8jc-6746-ww95.
Detection Methods for CVE-2025-65029
Indicators of Compromise
- Unexpected participant deletion events in application logs that do not correspond to actions by the poll owner
- HTTP DELETE or tRPC mutation requests targeting participant IDs from accounts unrelated to the parent poll
- Reports from end users that their responses or poll memberships disappeared without action on their part
Detection Strategies
- Audit Rallly application logs for participant deletion calls and correlate the acting user against the poll owner
- Add server-side instrumentation to record the user ID, participant ID, and poll ID for every deletion request
- Alert on bursts of deletion requests originating from a single authenticated session targeting multiple polls
Monitoring Recommendations
- Forward Rallly application and reverse proxy logs to a centralized log platform for retention and query
- Track database write events on the participants table and flag deletions performed outside of expected user-poll relationships
- Monitor for account creation followed by rapid API activity against participant endpoints, which suggests automated abuse
How to Mitigate CVE-2025-65029
Immediate Actions Required
- Upgrade Rallly to version 4.5.4 or later, which includes the authorization fix
- Review historical application logs for unauthorized participant deletions and notify affected poll owners
- Restrict access to self-hosted Rallly instances to trusted users until the patch is applied
Patch Information
The maintainers released the fix in Rallly v4.5.4. The release adds ownership verification to the participant deletion path so that only the poll owner or the participant themselves can remove a participant record. Administrators of self-hosted deployments should pull the updated container image or source release and redeploy. Full advisory details are available in GHSA-f8jc-6746-ww95.
Workarounds
- No vendor-supplied workaround exists; upgrading to 4.5.4 is the required remediation
- As a temporary control, limit Rallly registration to a known user base via SSO or invitation only to reduce the pool of potential attackers
- Place the application behind a reverse proxy that rate-limits authenticated API calls to participant endpoints
# Upgrade a Docker-based Rallly deployment to the patched release
docker pull lukevella/rallly:4.5.4
docker compose down
docker compose up -d
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

