CVE-2025-65028 – An insecure direct object reference (IDOR) vuln... (How to Fix)

Q: What is the severity of CVE-2025-65028?

CVE-2025-65028 has a CVSS score of 6.5 (MEDIUM). An insecure direct object reference (IDOR) vulnerability in Rallly allows authenticated users to modify other participants' votes in polls without authorization. This compromises poll data integrity by letting attackers alter results in their favor. All Rallly instances running versions before 4.5.4 are affected.

📋 TL;DR

An insecure direct object reference (IDOR) vulnerability in Rallly allows authenticated users to modify other participants' votes in polls without authorization. This compromises poll data integrity by letting attackers alter results in their favor. All Rallly instances running versions before 4.5.4 are affected.

💻 Affected Systems

Products:

Rallly

Versions: All versions prior to 4.5.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances where user authentication is enabled; anonymous polls without authentication are not vulnerable.

📦 What is this software?

Rallly by Rallly

View all CVEs affecting Rallly →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious actors systematically manipulate poll outcomes to influence decisions, compromise organizational voting processes, and undermine trust in collaborative scheduling tools.

🟠

Likely Case

Individual users tamper with specific polls to gain advantage in scheduling decisions or disrupt collaborative planning efforts.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to isolated incidents that can be detected and rolled back.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is trivial once authenticated - simply modify participantId parameter in vote update requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5.4

Vendor Advisory: https://github.com/lukevella/rallly/security/advisories/GHSA-pchc-v5hg-f5gp

Restart Required: Yes

Instructions:

1. Backup your Rallly instance data. 2. Update to version 4.5.4 via package manager or manual installation. 3. Restart the Rallly service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Implement API request validation middleware

all

Add server-side validation to verify user ownership of participantId before processing vote updates

# Custom middleware implementation required based on your deployment

🧯 If You Can't Patch

Implement network segmentation to restrict access to Rallly instances
Enable detailed audit logging for all vote modification requests and monitor for unauthorized changes

🔍 How to Verify

Check if Vulnerable:

Check Rallly version via admin interface or by examining package.json file for version number

Check Version:

grep '"version"' package.json || check Rallly admin dashboard

Verify Fix Applied:

After updating to 4.5.4, attempt to modify another user's vote using participantId parameter - request should be rejected

📡 Detection & Monitoring

Log Indicators:

Multiple vote updates from same user for different participantIds
Rapid vote changes across multiple participants

Network Indicators:

POST requests to vote endpoints with participantId parameters not matching authenticated user

SIEM Query:

source="rallly" AND (event="vote_update" AND participantId != user_id)

📊 Metadata

CVE ID: CVE-2025-65028

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-285

EPSS Score: 0.03% exploit probability (9.5th percentile)

Published: November 19, 2025

Last Updated: November 25, 2025

🔗 References

https://github.com/lukevella/rallly/releases/tag/v4.5.4 Release Notes
https://github.com/lukevella/rallly/security/advisories/GHSA-pchc-v5hg-f5gp Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65028, you might also want to check these: