CVE-2025-65033 in rallly
Summary
by MITRE • 11/19/2025
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the poll management feature allows any authenticated user to pause or resume any poll, regardless of ownership. The system only uses the public pollId to identify polls, and it does not verify whether the user performing the action is the poll owner. As a result, any user can disrupt polls created by others, leading to a loss of integrity and availability across the application. This issue has been patched in version 4.5.4.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/19/2025
The vulnerability identified as CVE-2025-65033 affects Rallly, an open-source scheduling and collaboration platform that enables users to create and manage polls for event coordination. This authorization flaw represents a critical security weakness in the application's access control mechanisms, specifically within the poll management functionality. The vulnerability allows any authenticated user to manipulate polls created by other users, fundamentally undermining the application's security model and data integrity. The flaw exists in versions prior to 4.5.4, indicating that the developers were aware of the issue and implemented a fix in the subsequent release.
The technical root cause of this vulnerability stems from improper authorization checks within the poll management system. The application relies solely on the public pollId parameter to identify and manage polls, without implementing any verification mechanism to confirm whether the requesting user has legitimate ownership rights over the target poll. This design flaw creates a direct path for privilege escalation and unauthorized actions. The system fails to cross-reference the authenticated user's credentials with the poll's ownership information, resulting in a classic authorization bypass vulnerability. According to CWE classification, this corresponds to CWE-285: Improper Authorization, which occurs when an application fails to properly verify that an authenticated user is authorized to perform a specific action.
The operational impact of this vulnerability extends beyond simple data manipulation, creating significant risks to both availability and integrity of the application's core functionality. An authenticated attacker can disrupt polls created by other users through pause and resume operations, effectively causing service disruption and potentially leading to coordination failures for legitimate users. This unauthorized manipulation capability undermines the trust model of the collaborative platform, as users cannot guarantee the integrity of polls they did not create. The vulnerability affects the availability aspect by allowing malicious users to pause polls at will, preventing others from accessing or modifying them, while simultaneously compromising data integrity by enabling unauthorized modifications to polls they should not control. The disruption of poll operations can have cascading effects on collaborative scheduling activities, particularly in environments where precise timing and coordination are critical.
From a threat modeling perspective, this vulnerability aligns with ATT&CK technique T1078.004: Valid Accounts - Cloud Accounts, as it exploits legitimate authenticated access to perform unauthorized actions within the application. The flaw essentially allows attackers to leverage their existing authenticated session to perform actions they should not be authorized to perform. The patch implemented in version 4.5.4 likely introduced proper access control checks that verify user ownership before allowing poll management operations, ensuring that only the poll creator can perform pause and resume actions. Organizations utilizing Rallly should immediately upgrade to version 4.5.4 or later to remediate this vulnerability. Security practitioners should also consider implementing additional monitoring for unauthorized poll management activities and review access control configurations to prevent similar issues in other applications. The vulnerability serves as a reminder of the critical importance of proper authorization checks, particularly in collaborative applications where multiple users interact with shared resources.