CVE-2025-65029: Critical IDOR Vulnerability in Rallly Allows Unauthorized Participant Deletion

Overview

CVE-2025-65029 is a high-severity security vulnerability affecting Rallly, an open-source scheduling and collaboration tool. Specifically, it is an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to delete participants from polls without proper authorization. This flaw can lead to unauthorized removal of users from polls, potentially disrupting scheduled events and compromising data integrity.

Technical Details

The vulnerability exists because the endpoint responsible for deleting participants relies solely on the participant ID to authorize the deletion request. No verification is performed to ensure that the user initiating the deletion actually owns or has the permission to manage that specific participant. An attacker, once authenticated, can simply manipulate the participant ID in the request to remove any user from the poll, including the poll owner. The vulnerable code lies within the handling of participant deletion requests within the Rallly application logic.

CVSS Analysis

This vulnerability has been assigned a CVSS score of 8.1, indicating a HIGH severity. The CVSS vector provides a detailed breakdown:

• Base Score: 8.1
• Attack Vector: Network (AV:N)
• Attack Complexity: Low (AC:L)
• Privileges Required: Low (PR:L)
• User Interaction: None (UI:N)
• Scope: Unchanged (S:U)
• Confidentiality Impact: None (C:N)
• Integrity Impact: High (I:H)
• Availability Impact: High (A:H)

The low attack complexity and required privileges combined with the high integrity and availability impact contribute to the high overall severity score.

Possible Impact

The exploitation of CVE-2025-65029 can have several significant impacts:

• Data Integrity Compromise: Attackers can remove participants from polls, leading to inaccurate or incomplete participation data.
• Availability Disruption: Removal of poll owners or key participants can effectively disable or disrupt the scheduling process.
• Denial of Service: Repeated removal of users can create a denial-of-service condition, preventing legitimate users from participating in polls.
• Reputational Damage: Users may lose trust in the Rallly platform.

Mitigation or Patch Steps

The vulnerability has been patched in Rallly version 4.5.4. It is strongly recommended that all users of Rallly upgrade to version 4.5.4 or later as soon as possible. This upgrade implements proper authorization checks to prevent unauthorized participant deletion. If immediate upgrade is not possible, consider implementing temporary workarounds, such as closely monitoring poll activity and restricting access to the Rallly instance while planning the upgrade.

References

• Rallly v4.5.4 Release: https://github.com/lukevella/rallly/releases/tag/v4.5.4
• Rallly Security Advisory: https://github.com/lukevella/rallly/security/advisories/GHSA-f8jc-6746-ww95