Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-65030

CVE-2025-65030: Rallly Auth Bypass Vulnerability

CVE-2025-65030 is an authorization bypass flaw in Rallly that allows authenticated users to delete any comment without proper permission checks. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-65030 Overview

CVE-2025-65030 is a broken access control vulnerability in Rallly, an open-source scheduling and collaboration tool. The flaw resides in the comment deletion API endpoint, which authorizes requests based solely on the comment identifier. Any authenticated user can delete comments belonging to other users, including poll owners and administrators. The issue affects all versions of Rallly prior to 4.5.4 and is classified under CWE-285 (Improper Authorization). Maintainer lukevella patched the vulnerability in release v4.5.4.

Critical Impact

Authenticated attackers can delete arbitrary comments across any poll, enabling integrity loss and tampering with collaborative scheduling data without owner consent.

Affected Products

  • Rallly versions prior to 4.5.4
  • Self-hosted Rallly deployments exposing the comment API
  • Multi-tenant Rallly instances with shared authenticated user bases

Discovery Timeline

  • 2025-11-19 - CVE-2025-65030 published to NVD
  • 2025-11-25 - Last updated in NVD database

Technical Details for CVE-2025-65030

Vulnerability Analysis

The vulnerability stems from missing ownership verification in the comment deletion endpoint. The handler accepts a comment ID parameter and removes the matching record from persistent storage. It does not check whether the authenticated session belongs to the comment author, the poll owner, or an administrator with appropriate privileges.

Any user holding a valid session token can invoke the endpoint with a target comment ID. The server processes the request as authorized because authentication succeeded, conflating authentication with authorization. This is a textbook Improper Authorization weakness mapped to CWE-285.

Exploitation requires only low-privilege access. An attacker needs a registered Rallly account on the target instance. From there, they enumerate or observe comment identifiers exposed through the application's standard interfaces and issue deletion requests against any comment.

Root Cause

The comment deletion route relies exclusively on the comment ID as input. The server queries the database for the matching record and deletes it without joining against an ownership column or checking the requesting user's role. Authorization logic that should validate comment.userId === session.userId or equivalent administrative checks is absent from the handler. Full technical details are available in the GitHub Security Advisory GHSA-4j32-25f9-qgfm.

Attack Vector

The attack vector is network-based and requires low privileges with no user interaction. An authenticated attacker sends a crafted API request referencing a comment ID owned by another user. The server returns a success response and removes the targeted comment. Repeated requests can purge entire comment threads on polls the attacker does not own.

No verified exploit code is publicly available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The mechanism is described in prose because no sanitized proof-of-concept has been released.

Detection Methods for CVE-2025-65030

Indicators of Compromise

  • Unexpected comment deletion events in Rallly application logs where the requesting userId does not match the comment.userId
  • Poll owners reporting missing comments they did not delete
  • Spikes in DELETE requests against the comment endpoint from a single authenticated session
  • Audit log gaps coinciding with sudden drops in comment counts on active polls

Detection Strategies

  • Compare authenticated userId against the userId field on deleted comment records in application or database audit logs
  • Alert on bulk deletion patterns where one user removes comments authored by multiple distinct accounts within a short window
  • Enable database-level triggers or change data capture on the comments table to record actor identity for every deletion

Monitoring Recommendations

  • Forward Rallly application logs and reverse proxy access logs to a centralized log analytics platform for correlation
  • Track HTTP method, endpoint path, authenticated user, and target resource ID for every comment API request
  • Establish a baseline for normal comment deletion volume per user and alert on deviations

How to Mitigate CVE-2025-65030

Immediate Actions Required

  • Upgrade Rallly to version 4.5.4 or later on all self-hosted instances
  • Audit existing comment records and notify poll owners of any unexplained deletions
  • Rotate session tokens for all users after patching to invalidate any reconnaissance sessions
  • Review web server and application logs for prior abuse of the deletion endpoint

Patch Information

The maintainer released a fix in Rallly v4.5.4. The patch adds ownership and permission checks to the comment deletion handler, ensuring only the comment author, poll owner, or administrators can remove a comment. Operators must redeploy the updated container image or pull the new release before exposure is eliminated.

Workarounds

  • Restrict Rallly access to trusted users only by enforcing invite-only registration until the patch is applied
  • Place the Rallly instance behind a reverse proxy that blocks DELETE requests to the comment API for non-administrative users as a temporary measure
  • Take regular database backups of the comments table to enable restoration if abuse is detected
bash
# Upgrade Rallly via Docker to the patched release
docker pull lukevella/rallly:4.5.4
docker stop rallly && docker rm rallly
docker run -d --name rallly \
  --env-file /etc/rallly/.env \
  -p 3000:3000 \
  lukevella/rallly:4.5.4

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.