CVE-2025-65029 in rallly
Summary
by MITRE • 11/19/2025
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an insecure direct object reference (IDOR) vulnerability allows any authenticated user to delete arbitrary participants from polls without ownership verification. The endpoint relies solely on a participant ID to authorize deletions, enabling attackers to remove other users (including poll owners) from polls. This impacts the integrity and availability of poll participation data. This issue has been patched in version 4.5.4.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/19/2025
The vulnerability identified as CVE-2025-65029 represents a critical insecure direct object reference flaw within the Rallly scheduling platform that affects versions prior to 4.5.4. This type of vulnerability falls under CWE-284 which specifically addresses inadequate access control mechanisms, where the application fails to properly validate user authorization before performing operations on objects. The core issue manifests in the poll participant deletion functionality where the system accepts a participant ID as the sole authorization mechanism without verifying whether the authenticated user possesses legitimate rights to modify that particular participant's status within the poll. This design flaw creates a fundamental security weakness that directly violates the principle of least privilege and proper access control enforcement.
The technical exploitation of this vulnerability occurs when an authenticated user crafts a malicious request to the poll participant deletion endpoint by simply knowing or guessing a valid participant ID. The system processes the deletion request without performing ownership verification or role-based access checks, allowing any legitimate user to remove participants from polls they do not own or control. This represents a significant breakdown in the application's authorization model and creates a scenario where poll owners lose control over their collaborative environments. The vulnerability specifically targets the integrity aspect of the CIA triad by enabling unauthorized modification of poll participation data, while simultaneously affecting availability by potentially disrupting scheduled events when participants are removed without consent.
The operational impact of this vulnerability extends beyond simple data modification to encompass broader collaboration and trust issues within the Rallly platform. When poll owners lose the ability to control who can participate in their scheduled events, it creates potential for disruption of important scheduling activities and undermines the platform's core functionality. The vulnerability affects both the availability of poll data through unauthorized removal of participants and the integrity of the collaborative environment by allowing malicious actors to interfere with others' scheduling activities. This issue particularly impacts organizations relying on Rallly for critical scheduling coordination where unauthorized participant removal could lead to significant operational disruptions and potential security breaches.
Mitigation strategies for CVE-2025-65029 should focus on implementing proper access control verification before any participant deletion operations are permitted. The recommended approach involves strengthening the authorization logic to verify that the authenticated user either owns the poll or has explicit administrative privileges before allowing participant removal operations. This aligns with ATT&CK technique T1078 which addresses valid accounts and privilege escalation, as the vulnerability essentially allows unauthorized access to administrative-like capabilities through proper authentication. Organizations should also implement proper input validation and parameter checking to ensure that all requests are properly authenticated and authorized, and should consider implementing rate limiting and monitoring for unusual deletion patterns. The patch released in version 4.5.4 addresses this by enforcing proper ownership verification and access control checks before allowing participant deletion operations.