CVE-2025-65030
📋 TL;DR
An authorization flaw in Rallly's comment deletion API allows any authenticated user to delete comments belonging to other users, including poll owners and administrators. This vulnerability affects all Rallly instances running versions prior to 4.5.4 where user authentication is enabled.
💻 Affected Systems
- Rallly
📦 What is this software?
Rallly by Rallly
⚠️ Risk & Real-World Impact
Worst Case
Malicious authenticated users could systematically delete all comments in polls, disrupting collaboration and potentially destroying important scheduling information or discussions.
Likely Case
Users deleting comments they shouldn't have access to, causing confusion and data integrity issues in collaborative scheduling sessions.
If Mitigated
Limited impact with proper access controls and monitoring, though unauthorized deletions could still occur until patched.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial once authenticated. No special tools or knowledge needed beyond basic API understanding.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.5.4
Vendor Advisory: https://github.com/lukevella/rallly/security/advisories/GHSA-4j32-25f9-qgfm
Restart Required: Yes
Instructions:
1. Backup your Rallly instance data. 2. Update to version 4.5.4 using your deployment method (Docker, manual, etc.). 3. Restart the Rallly service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable comment deletion API
allTemporarily disable or block access to the comment deletion endpoint until patching can be completed.
# Configure web server or firewall to block DELETE requests to /api/comments/* endpoints
Implement API gateway authorization
allAdd authorization layer in front of Rallly that validates user permissions before forwarding deletion requests.
# Configure reverse proxy or API gateway to validate user ownership before allowing comment deletion
🧯 If You Can't Patch
- Implement strict access controls and monitor all comment deletion activities in logs
- Educate users about the vulnerability and implement manual approval process for comment deletions
🔍 How to Verify
Check if Vulnerable:
Check if your Rallly version is below 4.5.4. Test by having a regular authenticated user attempt to delete another user's comment via API.Check Version:
Check Rallly web interface footer or API response headers for version informationVerify Fix Applied:
After updating to 4.5.4, test that regular users can only delete their own comments and cannot delete comments belonging to other users.📡 Detection & Monitoring
Log Indicators:
- Multiple DELETE requests to /api/comments/ endpoints from single user
- DELETE requests to comment IDs not owned by requesting user
Network Indicators:
- Unusual pattern of DELETE requests to comment API
- DELETE requests with mismatched user-comment ownership
SIEM Query:
source="rallly" AND method="DELETE" AND uri="/api/comments/*" | stats count by user, uri