CVE-2025-65021
Published: 19 November 2025
Summary
CVE-2025-65021 is a critical-severity Improper Authorization (CWE-285) vulnerability in Rallly Rallly. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to polls, preventing authenticated users from finalizing others' polls via manipulated pollId.
Employs least privilege to ensure only poll owners can perform finalization actions, mitigating unauthorized access risks.
Requires authorization decisions for access to poll resources by specific users or roles prior to finalization.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The IDOR vulnerability enables exploitation of a public-facing web application (T1190) via unauthorized manipulation of the pollId parameter, directly facilitating stored data manipulation (T1565.001) by altering poll states without proper authorization.
NVD Description
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability exists in the poll finalization feature of the application. Any authenticated user can finalize a poll they do not own by…
more
manipulating the pollId parameter in the request. This allows unauthorized users to finalize other users’ polls and convert them into events without proper authorization checks, potentially disrupting user workflows and causing data integrity and availability issues. This issue has been patched in version 4.5.4.
Deeper analysisAI
CVE-2025-65021 is an Insecure Direct Object Reference (IDOR) vulnerability affecting Rallly, an open-source scheduling and collaboration tool, in versions prior to 4.5.4. The flaw resides in the poll finalization feature, where the application fails to properly validate ownership of the pollId parameter in requests. This allows manipulation of the parameter to target polls belonging to other users. The vulnerability is associated with CWE-285 (Improper Authorization), CWE-639 (Authorization Bypass Through User-Controlled Key), and CWE-862 (Missing Authorization), and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).
Any authenticated user can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By simply altering the pollId in the finalization request, an attacker can unauthorizedly finalize another user's poll, converting it into an event. This disrupts legitimate user workflows, compromises data integrity by altering poll states without permission, and impacts availability by preventing proper poll management.
The issue has been addressed in Rallly version 4.5.4, as detailed in the project's release notes and security advisory. Security practitioners should upgrade to v4.5.4 or later and review access controls in similar parameter-driven features to prevent IDOR exposures. Relevant resources include the GitHub release at https://github.com/lukevella/rallly/releases/tag/v4.5.4 and the security advisory at https://github.com/lukevella/rallly/security/advisories/GHSA-x7w2-g548-4qg8.
Details
- CWE(s)