CVE-2025-65031
📋 TL;DR
This vulnerability allows authenticated users of Rallly to impersonate any other user by manipulating the authorName field in comment creation API requests. Attackers can post comments under arbitrary usernames, including administrators, potentially enabling phishing or social engineering attacks. All Rallly instances running versions before 4.5.4 are affected.
💻 Affected Systems
- Rallly
📦 What is this software?
Rallly by Rallly
⚠️ Risk & Real-World Impact
Worst Case
Attackers impersonate administrators to issue malicious instructions, approve harmful changes, or spread disinformation that leads to data breaches or system compromise.
Likely Case
Attackers impersonate regular users to spread misleading information, create confusion in scheduling, or conduct targeted phishing against specific users.
If Mitigated
With proper monitoring and user awareness, impact is limited to temporary confusion and minor reputation damage until detected.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial via API manipulation. No public exploit code has been released.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.5.4
Vendor Advisory: https://github.com/lukevella/rallly/security/advisories/GHSA-hhfc-6gq7-rrpm
Restart Required: Yes
Instructions:
1. Backup your Rallly instance and database. 2. Update to version 4.5.4 via package manager or manual installation. 3. Restart the Rallly service. 4. Verify the update was successful.
🔧 Temporary Workarounds
API Request Validation
allImplement server-side validation to ensure authorName matches authenticated user identity
Modify comment creation endpoint to validate user identity against session/token
Disable Comment Functionality
allTemporarily disable comment creation until patch can be applied
Disable POST /api/comments endpoint in web server configuration
🧯 If You Can't Patch
- Implement strict API monitoring and alerting for unusual comment activity
- Educate users to verify suspicious comments and report impersonation attempts
🔍 How to Verify
Check if Vulnerable:
Test if you can create a comment with a different username than your authenticated identity via APICheck Version:
Check package.json for version or run 'npm list rallly' if installed via npmVerify Fix Applied:
Attempt to create a comment with a different username - should be rejected or corrected to your actual username📡 Detection & Monitoring
Log Indicators:
- API requests to comment endpoint with mismatched authorName and user session
- Multiple comments from same IP with different usernames
Network Indicators:
- Unusual comment patterns or rapid username switching in API traffic
SIEM Query:
source="rallly" AND (path="/api/comments" AND method="POST") AND authorName != user_identity