CVE-2025-65020
📋 TL;DR
An Insecure Direct Object Reference (IDOR) vulnerability in Rallly's poll duplication endpoint allows authenticated users to duplicate polls they don't own by manipulating the pollId parameter. This bypasses access controls, enabling unauthorized cloning of private or administrative polls. All Rallly instances running versions before 4.5.4 are affected.
💻 Affected Systems
- Rallly
📦 What is this software?
Rallly by Rallly
⚠️ Risk & Real-World Impact
Worst Case
Attackers could duplicate sensitive administrative polls containing confidential scheduling information, organizational data, or private meeting details, potentially exposing sensitive business operations.
Likely Case
Unauthorized users cloning polls they shouldn't have access to, leading to data leakage of scheduling information and potential disruption of collaboration workflows.
If Mitigated
With proper access controls and authentication, impact is limited to authorized users only accessing their own data.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial once authenticated - simply modify pollId parameter in API request.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.5.4
Vendor Advisory: https://github.com/lukevella/rallly/security/advisories/GHSA-44w7-pf32-gv5m
Restart Required: Yes
Instructions:
1. Backup your Rallly instance. 2. Update to version 4.5.4 using your deployment method (Docker, manual, etc.). 3. Restart the application. 4. Verify the update was successful.
🔧 Temporary Workarounds
API Endpoint Restriction
allTemporarily block or restrict access to the vulnerable endpoint /api/trpc/polls.duplicate
Enhanced Authentication Monitoring
allImplement additional authentication checks and monitor for unusual poll duplication activity
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block suspicious poll duplication requests
- Add additional access control layer at reverse proxy/load balancer level to validate poll ownership
🔍 How to Verify
Check if Vulnerable:
Check if your Rallly version is below 4.5.4. Attempt authenticated API call to /api/trpc/polls.duplicate with a pollId you don't own.Check Version:
Check Rallly web interface settings or application logs for version informationVerify Fix Applied:
After updating to 4.5.4, attempt the same unauthorized duplication - it should fail with proper access denied response.📡 Detection & Monitoring
Log Indicators:
- Multiple poll duplication requests from same user
- Failed authorization attempts on poll duplication endpoint
- Unusual poll creation patterns
Network Indicators:
- POST requests to /api/trpc/polls.duplicate with varying pollId parameters
- High volume of poll duplication API calls
SIEM Query:
source="rallly" AND (uri_path="/api/trpc/polls.duplicate" AND response_status=200) | stats count by user, pollId