Cyber Resilience

CVE-2025-65021

CriticalPublic PoC

Published: 19 November 2025

Published
19 November 2025
Modified
25 November 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0008 23.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-65021 is a critical-severity Improper Authorization (CWE-285) vulnerability in Rallly Rallly. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).

Deeper analysis

CVE-2025-65021 is an Insecure Direct Object Reference (IDOR) vulnerability affecting Rallly, an open-source scheduling and collaboration tool, in versions prior to 4.5.4. The flaw resides in the poll finalization feature, where the application fails to properly validate ownership of the pollId parameter in requests. This allows manipulation of the parameter to target polls belonging to other users. The vulnerability is associated with CWE-285 (Improper Authorization), CWE-639 (Authorization Bypass Through User-Controlled Key), and CWE-862 (Missing Authorization), and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

Any authenticated user can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By simply altering the pollId in the finalization request, an attacker can unauthorizedly finalize another user's poll, converting it into an event. This disrupts legitimate user workflows, compromises data integrity by altering poll states without permission, and impacts availability by preventing proper poll management.

The issue has been addressed in Rallly version 4.5.4, as detailed in the project's release notes and security advisory. Security practitioners should upgrade to v4.5.4 or later and review access controls in similar parameter-driven features to prevent IDOR exposures. Relevant resources include the GitHub release at https://github.com/lukevella/rallly/releases/tag/v4.5.4 and the security advisory at https://github.com/lukevella/rallly/security/advisories/GHSA-x7w2-g548-4qg8.

EU & UK References

Vulnerability details

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability exists in the poll finalization feature of the application. Any authenticated user can finalize a poll they do not own by…

more

manipulating the pollId parameter in the request. This allows unauthorized users to finalize other users’ polls and convert them into events without proper authorization checks, potentially disrupting user workflows and causing data integrity and availability issues. This issue has been patched in version 4.5.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

The IDOR vulnerability enables exploitation of a public-facing web application (T1190) via unauthorized manipulation of the pollId parameter, directly facilitating stored data manipulation (T1565.001) by altering poll states without proper authorization.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-0952Shared CWE-862
CVE-2025-24591Shared CWE-862
CVE-2024-42169Shared CWE-639
CVE-2026-27386Shared CWE-862
CVE-2026-33702Shared CWE-639
CVE-2026-34053Shared CWE-862
CVE-2026-3360Shared CWE-862
CVE-2026-4277Shared CWE-862
CVE-2026-25564Shared CWE-639
CVE-2026-26078Shared CWE-639

Affected Assets

rallly
rallly
≤ 4.5.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to polls, preventing authenticated users from finalizing others' polls via manipulated pollId.

prevent

Employs least privilege to ensure only poll owners can perform finalization actions, mitigating unauthorized access risks.

prevent

Requires authorization decisions for access to poll resources by specific users or roles prior to finalization.

References