CVE-2025-47781
📋 TL;DR
CVE-2025-47781 allows unauthenticated attackers to brute-force 6-digit authentication tokens in Rallly's email-based login system. With knowledge of a valid email address, attackers can take over any user account within the 15-minute token expiration window. All Rallly users are affected by this vulnerability.
💻 Affected Systems
- Rallly
📦 What is this software?
Rallly by Rallly
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of all user accounts, leading to unauthorized access to scheduling data, potential data theft, and malicious manipulation of scheduled events.
Likely Case
Targeted account takeover of specific users, potentially leading to unauthorized access to sensitive scheduling information and collaboration data.
If Mitigated
Failed brute-force attempts with account lockouts or rate limiting preventing successful exploitation.
🎯 Exploit Status
Exploitation requires only knowledge of a valid email address and basic scripting capabilities to brute-force the 6-digit token.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None available
Vendor Advisory: https://github.com/lukevella/rallly/security/advisories/GHSA-gm8g-3r3j-48hv
Restart Required: No
Instructions:
No official patch available. Monitor the GitHub repository for updates and apply when released.
🔧 Temporary Workarounds
Implement Rate Limiting
allAdd rate limiting to the /api/auth/callback/email endpoint to prevent brute-force attempts
# Configure rate limiting in your reverse proxy or application firewall
# Example for nginx: limit_req_zone $binary_remote_addr zone=auth:10m rate=5r/m;
# Then apply to location: limit_req zone=auth burst=10 nodelay;
Disable Email Authentication
allTemporarily disable email-based authentication if alternative methods are available
# Modify Rallly configuration to disable email auth
# Check configuration files for authentication settings
🧯 If You Can't Patch
- Implement network-level controls to restrict access to the authentication endpoint
- Monitor authentication logs for brute-force patterns and implement alerting
🔍 How to Verify
Check if Vulnerable:
Check if running Rallly version 3.22.1 or earlier and using email authenticationCheck Version:
Check package.json or application metadata for version informationVerify Fix Applied:
Verify that rate limiting is implemented on /api/auth/callback/email endpoint and tokens have been strengthened📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts from single IP
- Rapid sequential requests to /api/auth/callback/email
- Successful logins with previously failed tokens
Network Indicators:
- High volume of POST requests to authentication endpoint
- Pattern of sequential token attempts (000000-999999)
SIEM Query:
source="rallly" AND (url="/api/auth/callback/email" AND status=401) | stats count by src_ip | where count > 100