Cybersecurity Vulnerabilities

CVE-2025-65020: Rallly Poll Duplication Vulnerability – Unauthorized Cloning Exposed!

November 19, 2025 - By 

Overview

CVE-2025-65020 is a Medium severity security vulnerability affecting Rallly, an open-source scheduling and collaboration tool. This vulnerability, classified as an Insecure Direct Object Reference (IDOR), allows authenticated users to duplicate polls they do not own. By manipulating the `pollId` parameter in the `/api/trpc/polls.duplicate` endpoint, attackers can bypass access controls and clone private or administrative polls. This issue has been addressed in Rallly version 4.5.4.

Technical Details

The vulnerability lies within the `polls.duplicate` endpoint of the Rallly API. Specifically, the application fails to properly validate whether the authenticated user has the necessary permissions to duplicate a poll before proceeding with the duplication process. An attacker can exploit this by:

  1. Authenticating to a Rallly instance.
  2. Identifying the `pollId` of a poll they wish to duplicate, even if they do not own it.
  3. Sending a `POST` request to `/api/trpc/polls.duplicate` with the manipulated `pollId` in the request body.
  4. The application, lacking sufficient access control checks, duplicates the poll under the attacker’s account.

This allows the attacker to gain access to the poll’s configuration and potentially sensitive information within the poll.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-65020 a score of 6.5, indicating a MEDIUM severity vulnerability. This score is derived from the following factors:

  • Attack Vector: Network (AV:N)
  • Attack Complexity: Low (AC:L)
  • Privileges Required: Low (PR:L)
  • User Interaction: None (UI:N)
  • Scope: Unchanged (S:U)
  • Confidentiality Impact: Low (C:L)
  • Integrity Impact: Low (I:L)
  • Availability Impact: None (A:N)

The low privileges required (PR:L) and low attack complexity (AC:L) make this vulnerability relatively easy to exploit for an authenticated user.

Possible Impact

Successful exploitation of CVE-2025-65020 can have several negative impacts:

  • Unauthorized Access to Poll Data: Attackers can gain access to poll questions, options, and potentially participant information.
  • Data Modification: While the primary impact is duplication, the attacker can then modify the duplicated poll, potentially altering information presented to users.
  • Service Disruption: While the availability impact is rated as None, excessive poll duplication could indirectly lead to performance degradation.
  • Reputational Damage: Exposure of sensitive poll data can damage the reputation of the Rallly instance owner or the organization using the platform.

Mitigation and Patch Steps

The recommended mitigation is to upgrade Rallly to version 4.5.4 or later. This version includes a patch that addresses the IDOR vulnerability in the poll duplication endpoint. To upgrade:

  1. Consult the official Rallly documentation for upgrade instructions.
  2. Back up your Rallly data before performing the upgrade.
  3. Verify the upgrade was successful and the vulnerability is no longer exploitable after the upgrade.

If upgrading is not immediately possible, consider temporarily disabling the poll duplication feature or implementing stricter access control checks on the server-side.

References

Rallly v4.5.4 Release Notes (GitHub)
GHSA-44w7-pf32-gv5m Security Advisory (GitHub)

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *