CVE-2025-65030 Overview
CVE-2025-65030 is a broken access control vulnerability in Rallly, an open-source scheduling and collaboration tool. The flaw resides in the comment deletion API endpoint, which authorizes requests based solely on the comment identifier. Any authenticated user can delete comments belonging to other users, including poll owners and administrators. The issue affects all versions of Rallly prior to 4.5.4 and is classified under CWE-285 (Improper Authorization). Maintainer lukevella patched the vulnerability in release v4.5.4.
Critical Impact
Authenticated attackers can delete arbitrary comments across any poll, enabling integrity loss and tampering with collaborative scheduling data without owner consent.
Affected Products
- Rallly versions prior to 4.5.4
- Self-hosted Rallly deployments exposing the comment API
- Multi-tenant Rallly instances with shared authenticated user bases
Discovery Timeline
- 2025-11-19 - CVE-2025-65030 published to NVD
- 2025-11-25 - Last updated in NVD database
Technical Details for CVE-2025-65030
Vulnerability Analysis
The vulnerability stems from missing ownership verification in the comment deletion endpoint. The handler accepts a comment ID parameter and removes the matching record from persistent storage. It does not check whether the authenticated session belongs to the comment author, the poll owner, or an administrator with appropriate privileges.
Any user holding a valid session token can invoke the endpoint with a target comment ID. The server processes the request as authorized because authentication succeeded, conflating authentication with authorization. This is a textbook Improper Authorization weakness mapped to CWE-285.
Exploitation requires only low-privilege access. An attacker needs a registered Rallly account on the target instance. From there, they enumerate or observe comment identifiers exposed through the application's standard interfaces and issue deletion requests against any comment.
Root Cause
The comment deletion route relies exclusively on the comment ID as input. The server queries the database for the matching record and deletes it without joining against an ownership column or checking the requesting user's role. Authorization logic that should validate comment.userId === session.userId or equivalent administrative checks is absent from the handler. Full technical details are available in the GitHub Security Advisory GHSA-4j32-25f9-qgfm.
Attack Vector
The attack vector is network-based and requires low privileges with no user interaction. An authenticated attacker sends a crafted API request referencing a comment ID owned by another user. The server returns a success response and removes the targeted comment. Repeated requests can purge entire comment threads on polls the attacker does not own.
No verified exploit code is publicly available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The mechanism is described in prose because no sanitized proof-of-concept has been released.
Detection Methods for CVE-2025-65030
Indicators of Compromise
- Unexpected comment deletion events in Rallly application logs where the requesting userId does not match the comment.userId
- Poll owners reporting missing comments they did not delete
- Spikes in DELETE requests against the comment endpoint from a single authenticated session
- Audit log gaps coinciding with sudden drops in comment counts on active polls
Detection Strategies
- Compare authenticated userId against the userId field on deleted comment records in application or database audit logs
- Alert on bulk deletion patterns where one user removes comments authored by multiple distinct accounts within a short window
- Enable database-level triggers or change data capture on the comments table to record actor identity for every deletion
Monitoring Recommendations
- Forward Rallly application logs and reverse proxy access logs to a centralized log analytics platform for correlation
- Track HTTP method, endpoint path, authenticated user, and target resource ID for every comment API request
- Establish a baseline for normal comment deletion volume per user and alert on deviations
How to Mitigate CVE-2025-65030
Immediate Actions Required
- Upgrade Rallly to version 4.5.4 or later on all self-hosted instances
- Audit existing comment records and notify poll owners of any unexplained deletions
- Rotate session tokens for all users after patching to invalidate any reconnaissance sessions
- Review web server and application logs for prior abuse of the deletion endpoint
Patch Information
The maintainer released a fix in Rallly v4.5.4. The patch adds ownership and permission checks to the comment deletion handler, ensuring only the comment author, poll owner, or administrators can remove a comment. Operators must redeploy the updated container image or pull the new release before exposure is eliminated.
Workarounds
- Restrict Rallly access to trusted users only by enforcing invite-only registration until the patch is applied
- Place the Rallly instance behind a reverse proxy that blocks DELETE requests to the comment API for non-administrative users as a temporary measure
- Take regular database backups of the comments table to enable restoration if abuse is detected
# Upgrade Rallly via Docker to the patched release
docker pull lukevella/rallly:4.5.4
docker stop rallly && docker rm rallly
docker run -d --name rallly \
--env-file /etc/rallly/.env \
-p 3000:3000 \
lukevella/rallly:4.5.4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

