A critical security vulnerability, identified as CVE-2025-65021, has been discovered in Rallly, a popular open-source scheduling and collaboration tool. This vulnerability could allow unauthorized users to finalize polls, potentially leading to significant disruptions and data integrity issues. If you are using Rallly, immediate action is required to mitigate this risk.
Overview
Rallly is an open-source web application designed for scheduling events and facilitating collaboration. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability existed in the poll finalization feature. This flaw allows any authenticated user to finalize a poll that they do not own.
Technical Details
The vulnerability lies within the application’s handling of the pollId parameter during the poll finalization process. Due to insufficient authorization checks, an attacker can manipulate the pollId in the request to finalize a poll belonging to another user. This bypasses the intended access controls and grants unauthorized access to sensitive poll management functions.
Specifically, the application fails to verify that the user initiating the finalization request is the owner of the poll identified by the pollId. This allows malicious actors to force the conversion of a poll into an event, potentially altering scheduling arrangements and disrupting user workflows.
CVSS Analysis
- CVE ID: CVE-2025-65021
- Severity: CRITICAL
- CVSS Score: 9.1
A CVSS score of 9.1 indicates a critical severity level. This score reflects the ease of exploitation and the potential impact of the vulnerability. The ease of exploitation stems from the simple manipulation of the pollId parameter, while the impact stems from the ability to disrupt workflows and potentially cause data integrity issues.
Possible Impact
The exploitation of this IDOR vulnerability can have several serious consequences:
- Unauthorized Poll Finalization: Attackers can finalize polls they do not own, converting them into events without proper authorization.
- Workflow Disruption: This can lead to confusion, missed appointments, and overall disruption of user workflows.
- Data Integrity Issues: Unauthorized modification of poll data can compromise the integrity of the scheduling information.
- Availability Issues: If an attacker continually manipulates polls, it could lead to denial-of-service conditions for legitimate users.
Mitigation and Patch Steps
The vulnerability has been addressed in Rallly version 4.5.4. To mitigate the risk, it is strongly recommended that all Rallly users upgrade to this version immediately.
- Upgrade Rallly: Download and install the latest version (4.5.4 or later) from the official Rallly repository.
- Verify Implementation: After upgrading, verify that the authorization checks for poll finalization are correctly implemented.
- Monitor Activity: Continuously monitor Rallly logs for any suspicious activity related to poll finalization.
References
- Rallly v4.5.4 Release: https://github.com/lukevella/rallly/releases/tag/v4.5.4
- Rallly Security Advisory: https://github.com/lukevella/rallly/security/advisories/GHSA-x7w2-g548-4qg8
