CVE-2025-65029 – This CVE describes an insecure direct object re... (How to Fix)

Q: What is the severity of CVE-2025-65029?

CVE-2025-65029 has a CVSS score of 8.1 (HIGH). This CVE describes an insecure direct object reference (IDOR) vulnerability in Rallly, an open-source scheduling tool. Any authenticated user can delete arbitrary participants from polls without ownership verification, potentially removing poll owners and disrupting collaboration. All Rallly instances running versions before 4.5.4 are affected.

📋 TL;DR

This CVE describes an insecure direct object reference (IDOR) vulnerability in Rallly, an open-source scheduling tool. Any authenticated user can delete arbitrary participants from polls without ownership verification, potentially removing poll owners and disrupting collaboration. All Rallly instances running versions before 4.5.4 are affected.

💻 Affected Systems

Products:

Rallly

Versions: All versions prior to 4.5.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any Rallly deployment with user authentication enabled is vulnerable. The vulnerability exists in the core application logic.

📦 What is this software?

Rallly by Rallly

View all CVEs affecting Rallly →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could systematically delete all participants from critical polls, including poll owners, completely disrupting scheduling operations and causing data loss.

🟠

Likely Case

Malicious or disgruntled users deleting participants from polls they shouldn't have access to, causing confusion and disrupting scheduling workflows.

🟢

If Mitigated

With proper access controls, only poll owners and authorized users can manage participants, maintaining data integrity.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is trivial once authenticated. Attackers only need to guess or enumerate participant IDs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5.4

Vendor Advisory: https://github.com/lukevella/rallly/security/advisories/GHSA-f8jc-6746-ww95

Restart Required: Yes

Instructions:

1. Backup your Rallly instance and database
2. Update to version 4.5.4 or later using your deployment method (Docker, manual, etc.)
3. Restart the Rallly service
4. Verify the update was successful

🔧 Temporary Workarounds

Temporary Access Restriction

all

Implement network-level restrictions to limit access to the deletion endpoint

🧯 If You Can't Patch

Implement application-level authorization checks for all participant deletion requests
Monitor and alert on suspicious deletion patterns in application logs

🔍 How to Verify

Check if Vulnerable:

Check if your Rallly version is below 4.5.4. Test authenticated deletion of participants from polls you don't own.

Check Version:

Check Rallly web interface or deployment configuration for version number

Verify Fix Applied:

After updating to 4.5.4+, verify that authenticated users can only delete participants from polls they own or are authorized to manage.

📡 Detection & Monitoring

Log Indicators:

Multiple DELETE requests to participant endpoints from single user
Failed authorization attempts for participant deletion
Deletion of participants from polls not owned by the requesting user

Network Indicators:

Unusual patterns of DELETE requests to /api/participants/* endpoints

SIEM Query:

source="rallly" AND (method="DELETE" AND uri_path="/api/participants/*") | stats count by user_id, uri_path

📊 Metadata

CVE ID: CVE-2025-65029

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-285

EPSS Score: 0.06% exploit probability (17.8th percentile)

Published: November 19, 2025

Last Updated: November 25, 2025

🔗 References

https://github.com/lukevella/rallly/releases/tag/v4.5.4 Release Notes
https://github.com/lukevella/rallly/security/advisories/GHSA-f8jc-6746-ww95 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65029, you might also want to check these: