Urgent: High Severity Vulnerability CVE-2025-65034 Affects Rallly Scheduling Tool

Overview

A high-severity vulnerability, identified as CVE-2025-65034, has been discovered in Rallly, an open-source scheduling and collaboration tool. This vulnerability allows authenticated users to reopen finalized polls belonging to other users, leading to potential disruption and data integrity issues. Immediate action is recommended to mitigate this risk.

Technical Details

The vulnerability stems from improper authorization checks within the Rallly application. Specifically, any authenticated user can manipulate the pollId parameter to target and reopen finalized polls created by other users. This bypasses intended access controls and enables unauthorized modification of poll settings.

This flaw affects versions prior to 4.5.4. The fix implemented in version 4.5.4 includes improved authorization checks to prevent users from reopening polls that do not belong to them.

CVSS Analysis

This vulnerability has been assigned a CVSS score of 8.1, indicating high severity. The breakdown is as follows:

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Scope: Unchanged
• Confidentiality Impact: None
• Integrity Impact: High
• Availability Impact: High

This score reflects the ease of exploitation and the significant potential impact on data integrity and service availability.

Possible Impact

The exploitation of CVE-2025-65034 can lead to the following consequences:

• Disruption of Events: Unauthorized reopening of polls can disrupt scheduled events and cause confusion among participants.
• Data Integrity Compromise: Manipulation of poll settings can alter event details and compromise the integrity of collected data.
• Availability Issues: The ability to repeatedly reopen and modify polls can potentially lead to denial-of-service scenarios, impacting the availability of the Rallly application.

Mitigation or Patch Steps

The recommended mitigation step is to immediately update your Rallly installation to version 4.5.4 or later. This version includes the necessary security fixes to address the authorization vulnerability.

You can download the latest version from the official Rallly GitHub repository:

1. Back up your Rallly data before upgrading.
2. Follow the official upgrade instructions provided in the Rallly documentation.
3. Verify that the upgrade was successful and that the vulnerability has been resolved.

References

• Rallly v4.5.4 Release: https://github.com/lukevella/rallly/releases/tag/v4.5.4
• GitHub Security Advisory: https://github.com/lukevella/rallly/security/advisories/GHSA-5fp2-pv2j-rqpc